https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029625#M200449 <P>I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.&nbsp;&nbsp; I have build user based auth without issue but am having an issue with Command auth.&nbsp; once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,&nbsp; none of the commands are authenticated and the report indicates the "DenyCommand" default.&nbsp; I have followed the user guide and the step by step from Security Solutions. ( link below)&nbsp; </P><P></P><P>I still get no joy.&nbsp;&nbsp; Also Cisco changed the GUI and the way command sets are built</P><P></P><P><SPAN>(</SPAN><A class="jive-link-external-small" href="http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html" target="_blank">http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html</A><SPAN> ) </SPAN></P><P></P><P>Any help would be appreciated </P><P></P><P>Patrick Connor</P> Mon, 11 Mar 2019 02:34:15 GMT Patrick Connor 2019-03-11T02:34:15Z https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029625#M200449 <P>I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.&nbsp;&nbsp; I have build user based auth without issue but am having an issue with Command auth.&nbsp; once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,&nbsp; none of the commands are authenticated and the report indicates the "DenyCommand" default.&nbsp; I have followed the user guide and the step by step from Security Solutions. ( link below)&nbsp; </P><P></P><P>I still get no joy.&nbsp;&nbsp; Also Cisco changed the GUI and the way command sets are built</P><P></P><P><SPAN>(</SPAN><A class="jive-link-external-small" href="http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html" target="_blank">http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html</A><SPAN> ) </SPAN></P><P></P><P>Any help would be appreciated </P><P></P><P>Patrick Connor</P> Mon, 11 Mar 2019 02:34:15 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029625#M200449 Patrick Connor 2019-03-11T02:34:15Z https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029626#M200464 <HTML><HEAD></HEAD><BODY><P>Patrick,</P><P></P><P>Can you please post a screenshot of the authorization rule, and the command set that you configured?</P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 20 Sep 2012 16:28:37 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029626#M200464 Tarik Admani 2012-09-20T16:28:37Z https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029627#M200474 <HTML><HEAD></HEAD><BODY><P>Tarik,&nbsp; thanks for the response.&nbsp; I cannot get screen shots but can define the options sets.</P><P></P><P>I created 2 command sets </P><P></P><P>Pri-15&nbsp; has only the permit all command not in the table below check box checked</P><P></P><P>Pri-1&nbsp; has a single permit "show"&nbsp; with no arguments </P><P></P><P>the Auth rule has 2 rules </P><P>rule 1&nbsp; identity group "network Admin"&nbsp; any any any pri-15</P><P>rule 2 identity group "network monitor" any any any pri-1</P><P></P><P></P><P>service selection rule&nbsp;&nbsp;&nbsp; rule 1&nbsp; condition ( match system: protocol match TACACS)&nbsp; result Default Device Admin&nbsp;&nbsp; hit count 98</P><P></P><P></P><P>the report indicated the a FAIL "13025 command failed to match a Permit rule)&nbsp; and the Selected Command Set = (DentAllCommands)&nbsp; </P><P></P><P>So it looks like the command set is not being recognized.&nbsp; but I cannot see why?</P><P></P><P>Thanks,</P><P>Pat&nbsp; </P></BODY></HTML> Thu, 20 Sep 2012 18:01:36 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029627#M200474 Patrick Connor 2012-09-20T18:01:36Z https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029628#M200499 <HTML><HEAD></HEAD><BODY><P>Patrick,</P><P></P><P>Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).</P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-26768">https://supportforums.cisco.com/docs/DOC-26768</A></P><P></P><P>Thanks,</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 20 Sep 2012 18:03:40 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029628#M200499 Tarik Admani 2012-09-20T18:03:40Z https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029629#M200513 <HTML><HEAD></HEAD><BODY><P>It was not enabled.&nbsp; Thank you very much for the assistance.&nbsp; I have added the "commnad Set" to the customized Results and will test.</P></BODY></HTML> Thu, 20 Sep 2012 18:08:27 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-and-command-auth/m-p/2029629#M200513 Patrick Connor 2012-09-20T18:08:27Z