This one even puzzled  the senior engineers who tried to point me in the right direction but alas…as usually in the Cisco world the fix is usually something minor and simple yet can cause hours of frustration!
This one had me banging my head on the keyboard for a good chunk of hours. After going back and forth between the senior guys, and still nada! So what are we looking at here? We have a Cisco ACE 4710 Load balancer and all this time everyone signed in locally. Why? We have a ACS server, so why not use that? Well apparently no one could get AAA working with it and local logins were fine.

The perfectionist in me knew there had to be a way.

After a bunch of google searches, many people had the same issue. No one really had a direct answer. I did find out docu though that stood out.

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#ace

Scroll down to the ACE section.

I doubled checked the whole path. Policies, Access Policies, and even tracked TACACS AAA in the Monitoring and Reports but I was able to authenticate find to the ACE via CLI, but for some reason I could never get to global config mode. The ACE just spit out at me “invalid command” as if the config mode never exist! I was only able to get to user mode.

I look a look at the Policy that was being applied to my account.  Evey thing was set to Priv level 15.

Capture222OK so what gives? According to the Cisco KB some more attributes had to be added to this Shell Profile. After some messing around I found the magic combination!

Capture111

One thing that the article didn’t mention was the context name must be EXACT. “Admin” is NOT the same as “admin”. Once I popped that in, AAA started working!

Hope that helps someone out there!

 

 

William Zambrano

William Zambrano

NYC networkers is run by William Zambrano, a passionate network engineer who has been in the IT industry for eight years who posts up blog articles, YouTube videos, and holds meetup.com events in the NYC area. He lives in Queens, New York and has consulted in various different companies in the NY area. Previously William worked as a Cisco Certified Systems Instructor (CCSI) but now currently works for Arista Networks serving as a Systems Engineer. William can be reached by email at willzambrano@gmail.com

More Posts - Website

Follow Me:
Twitter