cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3955
Views
0
Helpful
18
Replies

MRV LX-4000 with ACS 5.2

baljinder29
Level 1
Level 1

I have trouble landing to privilage mode of MRV LX-4048 using TACACS. It get authenticated fine bun Autherization donot work . Shell profile i am using is priv-lvl =15 and command set is allow all. when i try enable it says "Insufficient rights".

MRV is switch  for out of band connection via pots(terminal server)

$ ssh InReach@172.21.239.222

Welcome to the MRV Communications' LX Series Server

InReach@172.21.239.222's password:

InReach:0 >en

Insufficient rights

Any one have a clue of attributes i can use in shell profile so i can land in privilege mode directly or after using enable.

18 Replies 18

baljinder29
Level 1
Level 1

FROM MRV MANUAL BUT I DONOT KNOW HOW TO PUT THESE IN ACS SERVER

TACACS+ Authorization Attributes

Table C.1 lists the TACACS+ Authorization Attributes that are

supported on the LX unit.

Auto Command

The only valid command is “menu ”. The filename

must already exist as a valid LX menu on the LX in the /config

directory. If the menu does not exist, you are logged off after

you are authenticated. If the menu does exist, you are

prompted with the menu and will not be able to access the CLI.

This attribute only applies if you are accessing the CLI (either

remotely or locally).

Example Enter the following in the TACACS+ configuration file on the

TACACS+ server if to be presented with a menu:

user bob {

login = cleartext bob

service = exec {

autocmd = “menu demo_menu”}

}

where

Table C.1 Supported TACACS+ Authorization Attributes

Attribute Description

01 Auto-cmd Sends an auto-command.

02 Priv-level Set this value to 15 to enable rights.

user bob is the username

cleartext bob is the password

exec is the login mode

menu demo_menu is the menu file

Privilege Level

   You must configure an authorization server address

to access this privilege level. Refer to “Installing and

Configuring a TACACS+ Server on a Network-Based

Host” on page 2-29 for further information.

You must set this value to the Superuser level. The level must

be set to 15.

Example Enter the following in the TACACS+ configuration file on the

TACACS+ server if enable rights:

user InReach {

login = cleartext access

service = exec {

priv-lvl = 15}

}

where

user InReach is the username

cleartext access is the password

exec is the login mode

priv-lvl is the authorized level

Hi,

In the tacacs shell profile in ACS you dont have to send out the priv level, just set the default and maxmimum level to 15 and see if that fixes your issue. It looks like you can treat this as your ios devices.

thanks,

Tarik Admani
*Please rate helpful posts*

I tried that but  that still land me to exec mode not privilege mode.

Any Clues  on MRV LX-4048T to set users in ACS 5.2 with privilege level access.

Can you post a screenshot of the shell profile that ACS is mapping to the user.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi,

Can you set the default priv level to 15 and give that a shot.

Are there any configuratoin or reference guide on how to run the tacacs commands for exec auth?

thanks,

Tarik Admani
*Please rate helpful posts*

No Luck still same situtaion ,after changing default priv level to 15.

$ ssh ts1lu.nl

Welcome to the MRV Communications' LX Series Server

bsingh@ts1lu.nl's password:

InReach:0 >en

Insufficient rights

InReach:0 >

I have link for MRV 's complete  manual  including tacacs + configuration manual .

http://service.mrv.com/support/tech_docs/36/974

Hi,

Can you post a screenshot of the authentication report. Also try to create another shell profile and trying changing the attributes around to the following:

  • priv_lvl Mandatory 15
  • priv_lvl Optional 15
  • priv-lvl Mandatory 15
  • priv-lvl Optional 15

You can do this in the custom attributes settings but do not touch the priv levels in the middle tab, rely only on these and test.

Thanks,

Tarik Admani
*Please rate helpful posts*

Here is the report but i tried all the above options non of them work most of the time it shows pass in report but i land in exec mode only

InReach:0 >en

Insufficient rights

InReach:0 >


AAA Protocol > TACACS+ Authentication Details

Date :

August 31, 2012

Generated on August 31, 2012 2:49:25 PM MDT


Authentication Details

Status:

Passed

Failure Reason:

Logged At:

Aug 31, 2012 2:48 PM

ACS Time:

Aug 31, 2012 2:48 PM

ACS Instance:

is1

Authentication Method:

PAP_ASCII

Authentication Type:

ASCII

Privilege Level:

0

User

Username:

bsingh

Remote Address:

10.63.119.51

Network Device

Network Device:

ts1lu.lu.noc.ver.ca

Network Device IP Address:

172.21.239.222

Network Device Groups:

Device Type:All Device Types, Location:All Locations:Terminal Servers

Access Policy

Access Service:

Default Device Admin

Identity Store:

KSP_LDAP

Selected Shell Profile:

SP-MRV-Admin

Active Directory Domain:

Identity Group:

Access Service Selection Matched Rule :

Rule-2

Identity Policy Matched Rule:

Default

Selected Identity Stores:

Internal Users, KSP_LDAP

Query Identity Stores:

Selected Query Identity Stores:

Internal Users

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:

AUTH-TS-Admin

Authorization Exception Policy Matched Rule:

Other

Under the command tasks make sure they are all disabled and try the different attribute types and see if that fixes anything. I read through the guide and it looks pretty straight forward. Are there any debugs you can run in order to see why the MRV is rejecting the tacacs response?

Thanks,

Tarik Admani
*Please rate helpful posts*

hkhrais
Level 1
Level 1

Hi ,


Have you enabled authorization on the device ? , for ex:

AAA Authorization exec default ...

AAA Authorization commands 0 default ..

AAA Authorization commands 1 default ...

AAA Authorization commands 15 default ...

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017390

Make sure to set default privilege to 15 .

If yes , Please post TACACS Authorization report

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: