https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384374#M159117 <HTML><HEAD></HEAD><BODY><P>kindly find the link to below for the proper configuration sample for authorization. </P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-16027">https://supportforums.cisco.com/docs/DOC-16027</A></P></BODY></HTML> Fri, 01 Nov 2013 22:33:41 GMT blenka 2013-11-01T22:33:41Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384365#M159108 <P>Hi,</P><P></P><P>I'm checking if some can help me out with a specific configuration.</P><P>We are deploying the Cisco ACS in our network and have configured for the Authorization AAA to our AD.</P><P>Now what we want to do is to give the technician normal access for monitoring an troubleshooting&nbsp; which is only certain commands show* and allow them to use the enabled password to gain access to the conf t and other commands.</P><P></P><P>We have trying to give them:</P><P>Shell profiles Default Privilege: Static 10;</P><P>Maximum Privilege:&nbsp; <A></A><A></A>Static 10;</P><P></P><P>Command Sets:</P><P>Permit Show *</P><P>Deny Conf*</P><P>Deny Wr*</P><P>Deny Rel*</P><P></P><P>While do this if gives the message correctly when using conf t and give a message "Command Authorazation failed, but when typing enable not is happening.</P><P></P><P>What should be done to correctly configure this.</P><P></P><P>Patrick</P> Mon, 11 Mar 2019 04:02:59 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384365#M159108 patrick.girigorie 2019-03-11T04:02:59Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384366#M159109 <HTML><HEAD></HEAD><BODY><P>Did you find this document in your research? If no then you may want to take a look at it.</P><P><A href="http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml">http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml</A></P><P></P><P>Also, please set the maximum privilege to 15 before you test command authorization.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 30 Oct 2013 16:48:00 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384366#M159109 Jatin Katyal 2013-10-30T16:48:00Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384367#M159110 <HTML><HEAD></HEAD><BODY><P> Hi Jatin,</P><P></P><P>Thanks for the reply, Yes i have tried this but the problem that I want the limited access engineer to make use of the enable password for the to gain access to the conf t.</P><P></P><P>So same user who normally has limited access will change his priv level by using the enable password (or something else) for them to gain the total access for configuration of the equipement.</P><P></P><P>Thanks,</P><P>Patrick</P></BODY></HTML> Wed, 30 Oct 2013 18:21:07 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384367#M159110 patrick.girigorie 2013-10-30T18:21:07Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384368#M159111 <HTML><HEAD></HEAD><BODY><P>Could you please share the output of "show run | in aaa" in your next reply.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Thu, 31 Oct 2013 12:37:40 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384368#M159111 Jatin Katyal 2013-10-31T12:37:40Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384369#M159112 <HTML><HEAD></HEAD><BODY><P>Hi Jatin,</P><P></P><P>Yes of course:</P><P></P><P>See below.</P><P></P><P>aaa authentication login default group tacacs+</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization commands 15 default group tacacs+ local<SPAN id="mce_marker"> </SPAN>aaa authentication login default group tacacs+</P><P></P><P>Thanks,</P><P>Patrick</P></BODY></HTML> Thu, 31 Oct 2013 14:04:47 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384369#M159112 patrick.girigorie 2013-10-31T14:04:47Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384370#M159113 <HTML><HEAD></HEAD><BODY><P>I would also suggest you to have complete configuration for command authorization so add these two commands as well.</P><P>aaa authorization commands 0 default group tacacs+ local</P><P>aaa authorization commands 1 default group tacacs+ local</P><P></P><P>In order to present enable password mode to your technician (read-pnly users) you have to configure ACS like this.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/4/9/163945-enable.PNG" class="jive-image" /></P><P></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/6/9/163964-show.PNG" class="jive-image" /></P><P></P><P>let me know how it goes.</P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Thu, 31 Oct 2013 15:29:43 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384370#M159113 Jatin Katyal 2013-10-31T15:29:43Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384371#M159114 <HTML><HEAD></HEAD><BODY><P>Jatin,</P><P></P><P> Ok almost there it is working but I cannot get the show run to work when in view-only and additionally the configured enable password on the router is not working anymore.</P><P></P><P>Can you help with this?</P><P></P><P>Patrick</P></BODY></HTML> Thu, 31 Oct 2013 19:03:54 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384371#M159114 patrick.girigorie 2013-10-31T19:03:54Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384372#M159115 <HTML><HEAD></HEAD><BODY><P>so you're saying when you execute "show run", it says command authorization failed. If yes then I would be interested to see the syntax that you've defined on ACS under command sets. Also why enable authentication is not going to local database i.e router because in your configuration, you've defined that it should go and check enable password tacacs server first however if it doesn't work check locally defined enable password. Since your tacacs server is up and running, we have to use enable password from tacacs.</P><P></P><P>Here is what you have.</P><P>aaa authentication enable default group tacacs+ enable</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Thu, 31 Oct 2013 21:18:06 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384372#M159115 Jatin Katyal 2013-10-31T21:18:06Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384373#M159116 <HTML><HEAD></HEAD><BODY><P>Jatin,</P><P></P><P>Hope it's clear the image.</P><P>Just changed the enable to local only.</P><P></P><P>Patrick<IMG src="http://supportforums.cisco.com/sites/default/files/legacy/2/1/0/164012-enable%20not%20going.jpg" class="jive-image" /> </P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/0/0/164005-conf%20ACS.jpg" class="jive-image" /></P></BODY></HTML> Thu, 31 Oct 2013 22:49:31 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384373#M159116 patrick.girigorie 2013-10-31T22:49:31Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384374#M159117 <HTML><HEAD></HEAD><BODY><P>kindly find the link to below for the proper configuration sample for authorization. </P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-16027">https://supportforums.cisco.com/docs/DOC-16027</A></P></BODY></HTML> Fri, 01 Nov 2013 22:33:41 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384374#M159117 blenka 2013-11-01T22:33:41Z https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384375#M159118 <HTML><HEAD></HEAD><BODY><P>This didn't seem like it was design for one user to get all the priv for Show command. So we decided to use two users instead one with priv 15 with no wr mem or conf t and another with priv 15 with no restrictions.</P><P></P><P>Thanks</P><P>Patrick</P></BODY></HTML> Tue, 19 Nov 2013 11:42:13 GMT https://community.cisco.com/t5/network-access-control/acs-configuration-for-authorization/m-p/2384375#M159118 patrick.girigorie 2013-11-19T11:42:13Z