Re: TACACS+ and Cisco MDS Switches

SAK_Mohan · ‎12-14-2006

I am trying to configure Cisco ACS 4.0 to authenticate Windows domain users who access Cisco MDS Switches but can't seem to get it work. Moreover, the users in Cisco ACS internal database also are not able to login to Cisco switches. Log file says that keys does not match and I have specified the same key in both the places.

Anyboday has any clues as to what could resolve this issue?

tblancha · ‎12-14-2006

Yes, you need a different AV pair. The IOS uses enable levels like enable 15 or enable 10 and that has associated commands with them. The MDS does a role based authentication. So, your AV pair should look like this in the shell portion of the user for MDS's:

cisco-av-pair*shell:roles="network-admin"

SAK_Mohan · ‎12-15-2006

Initially I used

cisco-av-pair=shell:roles="network-admin"....it did not work. Then I tried the one you specified...

cisco-av-pair*shell:roles="network-admin"

even this also did not work. Spoke with couple of guys from Cisco and had them take a look at it. They said config looks fine but still can't get it work.

This is what I specified on the Cisco MDS switch.

--------------------------------------------

config t

tacacs+ enable

tacacs-server host xx.xx.xx.xx key wareagle

aaa group server tacacs+ sanmgmtgrp

server xx.xx.xx.xx

aaa authentication login default group sanmgmtgrp

aaa authentication login console local

aaa accounting default group sanmgmtgrp local

end

--------------------------------------------