- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2008 12:29 AM - edited 03-05-2019 11:47 PM
hi there,
we've 2 CISCO ACE-Appliance in use since a few weeks.
they should be able to work with tacacs+. but i've find no way to configure the ace with the tacacs+ login. so, loggin in is possible, but only in the role "Network-Monitor". so I can not configure. we need to login with the role "Admin".
We 're using CISCO-Secure for tacacs+ login.
can anyone help?
thanks, K. Liepold
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2008 04:56 PM
On your Tacacs Server
1. Select user
2. Scroll down to tacacs+ setting
3. check "shell(exec)" option
4. check "custom attributes"
5. In the custom attributes window add the custom AV-Pair info in the following format:
shell:
For example if you setting it for Admin context and Admin user then use the following
shell:Admin*Admin default-domain.
Just to let you know that
"Data Center" area is the right place to ask ACE related questions.
Thanks
Syed Iftekhar Ahmed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2008 04:56 PM
On your Tacacs Server
1. Select user
2. Scroll down to tacacs+ setting
3. check "shell(exec)" option
4. check "custom attributes"
5. In the custom attributes window add the custom AV-Pair info in the following format:
shell:
For example if you setting it for Admin context and Admin user then use the following
shell:Admin*Admin default-domain.
Just to let you know that
"Data Center" area is the right place to ask ACE related questions.
Thanks
Syed Iftekhar Ahmed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2008 05:54 AM
ok. data center. is saved in my brain ;-)
but:
it works!
1.000 thanks... :-)
k. liepold
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2008 11:30 AM
Many thanks for this tip also - it's better than the manual!
The ACE 4710 security guide says
shell:
But when I tried that on a group in ACS, all my admins were unable to log in to IOS devices any more.
Replacing the = with * as you suggest causes that problem to go away.
If anyone from Cisco is lurking here, please can you get the guide changed? It's very dangerous advice if your admins also administer IOS devices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2008 07:37 PM
Just to clarify why it worked with *
* represent optional attribute that can be ignored by a device where as = means mandatory
attrib. If an attrib is not supported by a device it will drop the auth request, by replacing = with * made the attrib optional for IOS devices (devices that donot understand these av-pairs sent by ACE)
Copied from TACACS draft
"The authorization arguments in both the REQUEST and the RESPONSE are
attribute-value pairs. The attribute and the value are in a single
ascii string and are separated by either a "=" (0X3D) or a "*"
(0X2A). The equals sign indicates a mandatory argument. The asterisk
indicates an optional one."
Syed Iftekhar Ahmed
