cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
959
Views
15
Helpful
8
Replies

ACS 5.2 and Cisco ACE RBAC not working...

cjkozloski
Beginner
Beginner

Would appreciate some help here if it can be provided.

I am trying to configure TACACS auth for a Cisco ACE via our ACS 5.2 Server. I believe I have everything set up correctly but when I log in with my TACACS account it only gives me network monitor privileges.

This is the ACE Configuration I am using:

tacacs-server host 1.1.1.1 key XXXXXXXX

tacacs-server host 2.2.2.2 key XXXXXXXX

tacacs-server timeout 10

tacacs-server deadtime 30

!

aaa group server tacacs+ ACS

server 1.1.1.1

server 2.2.2.2

exit

!

aaa authentication login default group ACS local

aaa authentication login console group ACS local

aaa accounting default group ACS

!

This is the ACS Configuration:

ACS_ACE_CONFIG.png

When I log into the ACE I can see it authenticating and pulling the correct group from the ACS Log:

Logged At Status Details User Name Device Name Network Device Group Access Service Identity Store Identity Group ACS Server

Apr 30,13 8:57:40.566 AM     xxxckxxx

  AFA-ACE-Internal

  Device Type:All Device Types:Network Load Balance Devices, Location:Cameron Enterprises:Oklahoma:Data Center - 1 Device Access.TACACS

  AD1 All Groups:Administrator - Full HAPP-CSACS

Apr 30,13 8:52:20.256 AM     xxxckxxx

  AFA-ACE-Internal

  Device Type:All Device Types:Network Load Balance Devices, Location:Cameron Enterprises:Oklahoma:Data Center - 1 Device Access.TACACS

  AD1 All Groups:Administrator - Full xxx

Apr 30,13 8:43:43.276 AM     xxxckxxx

  AFA-ACE-Internal

  Device Type:All Device Types:Network Load Balance Devices, Location:Cameron Enterprises:Oklahoma:Data Center - 1 Device Access.TACACS

  AD1 All Groups:Administrator - Full xxx

But when I log into the ACE and do a show users I get:

*xxxckxxx    Dev_VC  pts/2   Apr 30 09:57 (x.x.x.x)  Network-Monitor default-domain

I have been searching for a couple of days to find a fix for this with no luck. Any help would be greatly appreciated.

Thanks.

1 Accepted Solution

Accepted Solutions

Well, it should actually work with both.

Could you please check TACACS logs from ACS and verify in log that correct SHELL PROFILE (Shell Profile-Appliance Admin) are choosen.

This can be checked under:

Monitoring & Reports > Reports > Catalog > AAA Protocol > Tacacs authorization

Do provide output of

Show running-config domain

Would appreciate if you can share the output here.

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

8 Replies 8

Jatin Katyal
Cisco Employee
Cisco Employee

On the ACS under customer attributes, try to change the requirement to MANDATORY.

Jatin Katyal


- Do rate helpful posts -

~Jatin

I appreciate the feedback. I originally had it on Mandatory and it was the same result as stated above. It doesn't appear to affect it one way or the other.

Well, it should actually work with both.

Could you please check TACACS logs from ACS and verify in log that correct SHELL PROFILE (Shell Profile-Appliance Admin) are choosen.

This can be checked under:

Monitoring & Reports > Reports > Catalog > AAA Protocol > Tacacs authorization

Do provide output of

Show running-config domain

Would appreciate if you can share the output here.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Here is the TACACS Log:

Apr 30,13 9:57:19.306 AM

xxxckxxx

[ CmdAV= ]

Shell Profile-Appliance Admin

AFA-ACE-Internal

1

Device Access.TACACS

ACE-ADMIN

And here is the output from show run domain for the Dev Context:

AFA-ACE/Dev_VC# sh running-config domain

Generating configuration....

AFA-ACE/Dev_VC#

Tacacs authorization does shows that its pushing down to ACE. Could you please run the following debugs on the ACS and check how exactly the attribute looks like

debug tacacs+ all

debug aaa all

Jatin Katyal


- Do rate helpful posts -

~Jatin

Problem solved!

We determined that we actually had to use

Admin domain default-domain

In ACS in order for it to work properly. Thanks for all of your help!

Glad to know. did you select a different domain on the ACE

Would be great if you mark this thread RESOLVED that way it will be useful for others.

Jatin Katyal


- Do rate helpful posts -

~Jatin

No, I did not select a different domain on the ace.

I had to adjust the shell profile to say Admin domain default-domain instead of Admin default-domain.

That is what fixed it.

Thanks for your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: