cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1419
Views
0
Helpful
4
Replies

Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

So I am trying to get TACACS+ auth to work for my ACE.

The command string that I have on the ACE is as follows:

tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15

aaa group server tacacs+ tacacs+

  server 172.16.101.4

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa accounting default group tacacs+ local

But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.

I do not know how to do this on the ACS 5.1.0.44.

Anyone know?

TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.

Thanks for your reply. About this question:

shell:<Context>*<Role> <Domain>

What I meant is that you need to check the following couple of things on

your ACS server in order to have AAA Tacacs users to login into the

ACE over the context with superuser ritghts.

Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)

‑> enable Custom attributes ‑> right below this part you need to

use the following sintax to link the ACE context that this user

has access to.

For example:

shell:<Context>*<Role> <Domain>

shell:Admin*Admin default‑domain

Where this user will have access to the Admin context with the role

admin using the 'default‑domain'

4 REPLIES 4
Tarik Admani
Advocate

Wilfred,

What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->

Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.

After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.

Thanks,

Tarik Admani

Tarik,

I went to Policy Elements->Authorization and Permissions->Device Administration->Shell Profiles.

In the Admin Shell Profile in the Custom Attributes tab I added the following:

Attribute          shell:Admin

Requirment      optional

Value               defualt-domain

I am not following you on this part:

After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.

My user id is in the AllGroups:Admin identity group.

I am sorry if I seem a little lost. The ACS is new to our organization.

Thanks!!!!!

Wilfred T Smith

No worries, here is what I was referring to in this statement:

You will select Access Policies -> Default Device Admin -> Authorization:

Then you will either create or modify an access rule that calls the shell profile that you just created, so when the user authenticates ACS returns this av-pair based upon the rule they match.

And if you dont see this option then you can click on customize in the bottom right and then under Customize Results drag over shell profiles from the left container.

Let me know if you need anything else.

Thanks,

Tarik Admani

Nevin Absher assisted me with one last aspect that I didn't understand. The ACS needs to pass a role as well so my shell attribute looks like this:

shell:Admin Optional Admin default-domain

Thank you for your help on this issue!

Content for Community-Ad