Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
10
Helpful
3
Replies

ACE and AAA (TACACS+)

Go to solution
dirk.barnekow
Level 1
Level 1

‎07-12-2007 01:44 PM - edited ‎03-10-2019 03:16 PM

Hi there,

i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :

Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1

Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED

Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS

Any idea what's wrong ??

Best regards Dirk

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Premdeep Banga
Level 7
Level 7

‎07-12-2007 03:30 PM

Hi Dirk,

Any specific reason/requirement, that you have to configure attribute, shell:Admin=Admin ?

Apart from the device is rejecting it, as it is not able to understand it, and on top of that we have made it a mandatory attribute.

Try this,

shell:Admin*Admin

* -> Optional Attribute

Regards,

Prem

View solution in original post

3 Replies 3

Go to solution
Premdeep Banga
Level 7
Level 7

‎07-12-2007 03:30 PM

Hi Dirk,

Any specific reason/requirement, that you have to configure attribute, shell:Admin=Admin ?

Apart from the device is rejecting it, as it is not able to understand it, and on top of that we have made it a mandatory attribute.

Try this,

shell:Admin*Admin

* -> Optional Attribute

Regards,

Prem

Go to solution
dirk.barnekow
Level 1
Level 1
In response to Premdeep Banga

‎07-12-2007 11:33 PM

Hi Prem,

thanks a lot. it's working now...

FYI i need this attribute for role mapping USER<>ROLE in the ACE.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045

Can you give me a link where i found the information you gave me.

Best regards

Dirk

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7

‎07-12-2007 03:40 PM

Nevermind....

Try, shell:Admin*Admin

Regards,

Prem

Customers Also Viewed These Support Documents