Managing Cisco ACE (Application Control Engine) modules with TACACS+
16 10 2008
This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post.
Searching for ACE and TACACS or similar gets confusing because of the RSA ACE server. Good job Cisco 
Cisco Application Control Engine modules are really separate devices from the “mother” switch, only suckling power and connectivity. These devices need their own authentication schemes. It’s pretty easy to turn on TACACS+ authentication and accounting (no authorization again. Why do vendors insist on only doing 1 or 2 As and not 3?).
ACE modules needs a specific optional av-pair in the “exec” service in TACACS+ to authenticate. You can put this in a group or user stanza:
Cisco Application Control Engine modules are really separate devices from the “mother” switch, only suckling power and connectivity. These devices need their own authentication schemes. It’s pretty easy to turn on TACACS+ authentication and accounting (no authorization again. Why do vendors insist on only doing 1 or 2 As and not 3?).
ACE modules needs a specific optional av-pair in the “exec” service in TACACS+ to authenticate. You can put this in a group or user stanza:
service = exec {
optional shell:Admin = "Admin default-domain"
}
The format is: shell:<Context> = “<Role> <domain>”
I’m not all that into ACE modules yet, so I’ll assume that the reader knows what each of those should be set to in their environment. For us, we simply want the equivalent of priv-lvl = 15, and that’s what we get above.
Note that without that av-pair, the defaults come through as Admin context, default-domain and “Network-Monitoring” role.
Also note that excluding the “optional” keyword will render you unable to log in to any IOS devices that use your TACACS+ server for authorization.
[ad#footer]
Thanks, this helps.
I set up TACACS+ authentication on an ACE running system: Version A2(3.3) [build 3.0(0)A2(3.3)] Yeah and based on the role model it works fine for me, I only Admin and Network-Monitor, so there is your level 15 and 1.
Beside authentication it does authorization as well: – snipet from the tacacs server in debug mode — authorization query for ’superu’ – eos from the tacacs server in debug mode —
Another very important information is the different authentication style. The ACE uses PAP-Login instead of Login.
– Configlet for a superuser – user = superu { pap = cleartext “superu78″ login = cleartext “superu78″ member = ace-user } – EOC for a superuser –
Thanks. Slainte Toem
Thanks for the feedback. I had not spotted the PAP login because we have PAP enabled (duplicating the login) on all our admin accounts for a number of other device types.