received unknown mandatory AV: shell:Admin=Admin default-domain

Robert Saurer · ‎11-03-2006

Hi,

in order to use TACACS+ login on our new ACE service modules we changed our ACS group settings for admins:

before

Shell (exec) - checked

Privilege level - checked: 15

afterwards:

Shell (exec) - checked

Privilege level - checked: 15

Custom attributes - checked:

shell:Admin=Admin default-domain

As soon as this is done, TACACS+ authentication on the ACE modules works fine, but we are not able to log into any other IOS box anymore.

Reason:

AAA/AUTHOR/EXEC: tty2 (2574833980) user='myaccount'

tty2 AAA/AUTHOR/EXEC (2574833980): send AV service=shell

tty2 AAA/AUTHOR/EXEC (2574833980): send AV cmd*

tty2 AAA/AUTHOR/EXEC (2574833980): found list "default"

tty2 AAA/AUTHOR/EXEC (2574833980): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2574833980): user=myaccount

AAA/AUTHOR/TAC+: (2574833980): send AV service=shell

AAA/AUTHOR/TAC+: (2574833980): send AV cmd*

AAA/AUTHOR (2574833980): Post authorization status = PASS_ADD

AAA/AUTHOR/EXEC: Processing AV service=shell

AAA/AUTHOR/EXEC: Processing AV cmd*

AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin default-domain

AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin default-domain

AAA/AUTHOR/EXEC: Authorization FAILED

Is there a way I can log into a normal IOS box and an ACE module with one single TACACS+ account?

Regards,

Robert

Robert Saurer · ‎11-04-2006

I think I solved it:

ACS Server:

-->edit user or group

-->goto section 'Checking this option will PERMIT all UNKNOWN Services'

-->check the 'Default (Undefined) Services checkbox

It's even documented in the ACE security configuration guide.