Defining Private Attributes For Virtualization Support In A Tacacs+ Server - Cisco 4700M Configuration Manual
Application control engine appliance security
Hide thumbs
Also See for 4700M:
- Administration manual (292 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
Chapter 2
Configuring Authentication and Accounting Services
Defining Private Attributes for Virtualization Support in a TACACS+ Server
Note
Note
OL-16202-01
You can create the same username across contexts and associate it with a unique
role in a context and multiple domains. Contexts can share a TACACS+ server,
but the user must be authenticated for each context and must use the same
password.
When a user attempts to log in to the ACE, the TACACS+ client on the ACE sends
the username and password to the remote TACACS+ server for authentication.
The TACACS+ server retrieves a user's profile as part of the authentication
request. Once the user is successfully authenticated, the TACACS+ server returns
a user profile to the TACACS+ client on the ACE with the authentication status.
If the associated context of the user attempting to log in matches the contexts of
the user profile obtained through the TACACS+ server, the TACACS+ client
updates the user profile with the remote server user profile. If the contexts do not
match, the user profile is updated with a default role (Network-Monitor) and a
default domain (default-domain).
Configure the user profile on the TACACS+ server to run an Exec shell to
configure a shell command authorization for the user. Define a custom attribute
with a value string in the following format:
shell:<contextname>=<role> <domain1> <domain2>...<domainN>
or
shell:<contextname>*<role> <domain1> <domain2>...<domainN>
If you are using Cisco IOS command authorization, be sure to use an asterisk (*)
rather than the equals sign (=) operator in the shell command string. The equals
sign indicates that Cisco IOS software expects a required field to follow. Cisco
IOS software does not recognize the role field, so using the equals sign in this case
will cause Cisco IOS authorization to fail.
The user profile attribute serves an important configuration function for a
TACACS+ server group. If the user profile attribute is not obtained from the
server during authentication, or if the profile is obtained from the server but the
context name(s) in the profile do not match the context in which the user is trying
to log in, a default role (Network-Monitor) and a default domain (default-domain)
are assigned to the user if the authentication is successful.
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
Configuring the AAA Server
2-13
Advertisement
Table of Contents
