[c-nsp] ACE and AAA ACE Version A2(3.5)

Gustavo Rodrigues Ramos gustavo at nexthop.com.br
Fri Nov 23 08:57:15 EST 2012


Hi Keti,

Don't know which TACACs server you're using. I use tac_plus with ACE
authentication method. Inside each user or group you should have the user
role and a domain privilege in order to successfully authenticate. Thought
you should have something similar in your TACACs server flavor.


    service = shell {
       shell:Admin = Admin
    }
    service = exec {
       optional shell:Admin = "Admin default-domain"
       optional shell:CONTEXTNAME1 = "Admin default-domain"
       optional shell:CONTEXTNAME2 = "Admin default-domain"
       (...)
    }

Replace "CONTEXTNAME1" with your context name. Enjoy.

Gustavo.


On Fri, Nov 23, 2012 at 7:43 AM, selamat pagi <ketimun at gmail.com> wrote:

> Hi,
>
> On our ACE-module we can login via ssh and tacacs to the Admin-context
> without a problem.
>
> But to a user-context only local login works. I get until the
> password prompt:
>
> *ssh -l john 192.168.70.13*
>
> *Password:*
>
> An attempt to login via tacacs-account gives this debug output
>
> debug aaa aaa-requests
>
> ACE-1/context1# 2012 Nov 22 13:15:31.720069 aaa: (ctx:1)aaa_req_process for
> authentication. session no 0
>
> 2012 Nov 22 13:15:31.720143 aaa: (ctx:1)try_next_aaa_method
>
> 2012 Nov 22 13:15:31.720770 aaa: (ctx:1)total methods configured is 2,
> current index to be tried is 0
>
> 2012 Nov 22 13:15:31.720817 aaa: (ctx:1)handle_req_using_method
>
> 2012 Nov 22 13:15:31.720842 aaa: (ctx:1)aaa_sg_method_handler group =
> ACE_TACACS
>
> 2012 Nov 22 13:15:31.720868 aaa: (ctx:1)Using sg_protocol which is passed
> to this function
>
> 2012 Nov 22 13:15:31.720905 aaa: (ctx:1)Sending request to TACACS service
>
> 2012 Nov 22 13:15:31.721028 aaa: (ctx:1)Configured method group Succeeded
>
>
>
> 2012 Nov 22 13:15:37.595909 aaa: (ctx:1)try_next_aaa_method
>
> 2012 Nov 22 13:15:37.596411 aaa: (ctx:1)total methods configured is 2,
> current index to be tried is 1
>
> 2012 Nov 22 13:15:37.596456 aaa: (ctx:1)handle_req_using_method
>
> 2012 Nov 22 13:15:37.596489 aaa: (ctx:1)LOCAL Authentication req
>
> 2012 Nov 22 13:15:37.596513 aaa: (ctx:1)AAA_AUTHEN_TYPE_PAP
>
> 2012 Nov 22 13:15:37.596543 aaa: (ctx:1)Local database Authentication for
> user john_1
>
> 2012 Nov 22 13:15:37.610031 aaa: (ctx:1)aaa_send_client_response for
> authentication. session->flags=31
>
> 2012 Nov 22 13:15:37.610249 aaa: (ctx:1)Configured method local Succeeded
>
>
>
> Config:
>
> aaa authentication login default group ACE_TACACS local
>
> aaa accounting default group ACE_TACACS local
>
> aaa authentication login error-enable
>
>
>
> Any advice or troubleshooting hint is highly appreciated
> cheers, keti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list