AAA authorization with ACS 3.2 - Page 2

hunleyb · ‎05-18-2005

I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

marekkurowski · ‎10-26-2005

You're going to laugh... I talked about the requirements with the network admin and he said that he'll need vty access... Basically authorization works on vty, just not on console/ I wish it said that somewhere in the manual, actually they shhouls repeat it in every chapter.... wow I feel silly.. sorry for the troubles...and thank you for your help

Richard Burts · ‎10-26-2005

Marek

The aspect that authorization works by default on vty and not on console is perhaps something I should have questioned early in this discussion. If I had asked how you were testing this and if you had said that you were logging in on the console we could have concluded the discussion much more quickly. It is interesting sometimes how long it takes us to get to the really right question.

I am glad that you have it figured out now. I still think that you should include backup methods in your aaa config.

Good luck with your implementation.

HTH

Rick

HTH

Rick

marekkurowski · ‎10-27-2005

I've included the enable password for authentication, I'll also do that for authorization... i still have to configure a pix to work with it.... scared =]

thanks for all the help