https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530284#M426765 <HTML><HEAD></HEAD><BODY><P>I will agree with AK that I do not see any obvious problems with the aaa configuration on the switch. I note that you specify authorization for level 15 commands. My guess is that in the configuration of ACS you are not allowing these commands for this user ID. A quick way to verify this would be to remove the aaa authorization for level 15 commands from the switch config and see if the behavior changes.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 31 Jul 2006 15:31:12 GMT Richard Burts 2006-07-31T15:31:12Z https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530282#M426757 <P>I've configured the 2950 as below and configured ACS correctly and I can login to the 2950 using this config, the problem lies after I go into enable and try any command I get the following error Command authorization failed.</P><P></P><P>What have I missed out of the config that will allow me to run any commands?</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local if-authenticated</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated</P><P>aaa authorization network default group tacacs+ local if-authenticated</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting network default start-stop group tacacs+</P><P></P><P>tacacs-server host ***.***.***</P><P>tacacs-server key 7 ***********</P><P></P><P>Thanks in advance.</P><P></P><P>Jon</P> Sun, 10 Mar 2019 21:41:16 GMT https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530282#M426757 jonhill 2019-03-10T21:41:16Z https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530283#M426760 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>The switch's AAA looks ok, maybe you need to take a look at your ACS.</P><P></P><P>Check the following info, where you might need to apply it into your ACS config:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529</A></P><P></P><P>rgds,</P><P>AK</P></BODY></HTML> Mon, 31 Jul 2006 12:53:47 GMT https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530283#M426760 a.kiprawih 2006-07-31T12:53:47Z https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530284#M426765 <HTML><HEAD></HEAD><BODY><P>I will agree with AK that I do not see any obvious problems with the aaa configuration on the switch. I note that you specify authorization for level 15 commands. My guess is that in the configuration of ACS you are not allowing these commands for this user ID. A quick way to verify this would be to remove the aaa authorization for level 15 commands from the switch config and see if the behavior changes.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 31 Jul 2006 15:31:12 GMT https://community.cisco.com/t5/network-access-control/problem-with-tacacs-acs-and-cat-2950/m-p/530284#M426765 Richard Burts 2006-07-31T15:31:12Z