04-30-2013 08:08 AM - edited 03-10-2019 08:22 PM
Would appreciate some help here if it can be provided.
I am trying to configure TACACS auth for a Cisco ACE via our ACS 5.2 Server. I believe I have everything set up correctly but when I log in with my TACACS account it only gives me network monitor privileges.
This is the ACE Configuration I am using:
tacacs-server host 1.1.1.1 key XXXXXXXX
tacacs-server host 2.2.2.2 key XXXXXXXX
tacacs-server timeout 10
tacacs-server deadtime 30
!
aaa group server tacacs+ ACS
server 1.1.1.1
server 2.2.2.2
exit
!
aaa authentication login default group ACS local
aaa authentication login console group ACS local
aaa accounting default group ACS
!
This is the ACS Configuration:
When I log into the ACE I can see it authenticating and pulling the correct group from the ACS Log:
Logged At Status Details User Name Device Name Network Device Group Access Service Identity Store Identity Group ACS Server
Apr 30,13 8:57:40.566 AM xxxckxxx
AFA-ACE-Internal
Device Type:All Device Types:Network Load Balance Devices, Location:Cameron Enterprises:Oklahoma:Data Center - 1 Device Access.TACACS
AD1 All Groups:Administrator - Full HAPP-CSACS
Apr 30,13 8:52:20.256 AM xxxckxxx
AFA-ACE-Internal
Device Type:All Device Types:Network Load Balance Devices, Location:Cameron Enterprises:Oklahoma:Data Center - 1 Device Access.TACACS
AD1 All Groups:Administrator - Full xxx
Apr 30,13 8:43:43.276 AM xxxckxxx
AFA-ACE-Internal
Device Type:All Device Types:Network Load Balance Devices, Location:Cameron Enterprises:Oklahoma:Data Center - 1 Device Access.TACACS
AD1 All Groups:Administrator - Full xxx
But when I log into the ACE and do a show users I get:
*xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) Network-Monitor default-domain
I have been searching for a couple of days to find a fix for this with no luck. Any help would be greatly appreciated.
Thanks.
Solved! Go to Solution.
04-30-2013 11:20 AM
Well, it should actually work with both.
Could you please check TACACS logs from ACS and verify in log that correct SHELL PROFILE (Shell Profile-Appliance Admin) are choosen.
This can be checked under:
Monitoring & Reports > | Reports > | Catalog > | AAA Protocol > Tacacs authorization |
Do provide output of
Show running-config domain
Would appreciate if you can share the output here.
Jatin Katyal
- Do rate helpful posts -
04-30-2013 09:47 AM
On the ACS under customer attributes, try to change the requirement to MANDATORY.
Jatin Katyal
- Do rate helpful posts -
04-30-2013 10:44 AM
I appreciate the feedback. I originally had it on Mandatory and it was the same result as stated above. It doesn't appear to affect it one way or the other.
04-30-2013 11:20 AM
Well, it should actually work with both.
Could you please check TACACS logs from ACS and verify in log that correct SHELL PROFILE (Shell Profile-Appliance Admin) are choosen.
This can be checked under:
Monitoring & Reports > | Reports > | Catalog > | AAA Protocol > Tacacs authorization |
Do provide output of
Show running-config domain
Would appreciate if you can share the output here.
Jatin Katyal
- Do rate helpful posts -
04-30-2013 11:30 AM
Here is the TACACS Log:
Apr 30,13 9:57:19.306 AM | xxxckxxx | [ CmdAV= ] | Shell Profile-Appliance Admin | AFA-ACE-Internal | 1 | Device Access.TACACS | ACE-ADMIN |
And here is the output from show run domain for the Dev Context:
AFA-ACE/Dev_VC# sh running-config domain
Generating configuration....
AFA-ACE/Dev_VC#
04-30-2013 02:28 PM
Tacacs authorization does shows that its pushing down to ACE. Could you please run the following debugs on the ACS and check how exactly the attribute looks like
debug tacacs+ all
debug aaa all
Jatin Katyal
- Do rate helpful posts -
04-30-2013 02:34 PM
Problem solved!
We determined that we actually had to use
Admin domain default-domain
In ACS in order for it to work properly. Thanks for all of your help!
04-30-2013 03:34 PM
Glad to know. did you select a different domain on the ACE
Would be great if you mark this thread RESOLVED that way it will be useful for others.
Jatin Katyal
- Do rate helpful posts -
05-02-2013 06:28 AM
No, I did not select a different domain on the ace.
I had to adjust the shell profile to say Admin domain default-domain instead of Admin default-domain.
That is what fixed it.
Thanks for your help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: