12-09-2010 03:05 AM - edited 03-10-2019 05:38 PM
Hello
Please answer above 3 queries.
I facing issues in authorization,This is the below what i have done.
12-09-2010 01:48 PM
To try to answer your questions
- If i want to allow certain commands for a user on switch with privilege level 2,,Do i have to create the user in local database on switch as well as in ACS ?????? I dont think so , Correct me if i m wrong???
2 If i have specified privilege level 2 command in switch i dont need to specify in shell command set????? correct me if i m wrong??
3 If i have specify in shell command set then i dont need to specify in switch ???? correct me if i m wrong?
I am not sure what you mean.
I hope it helps a little.
PK
12-09-2010 02:07 PM
Hello,
I want to all the below commands
privilege exec level 2 undebug all
privilege exec all level 2 debug
2) I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they are prompted again for enable secret????
Thanks
12-10-2010 02:10 AM
Hi,
2) I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they are prompted again for enable secret????
I found the answer for this question here on this forum: https://supportforums.cisco.com/message/621198
Regards.
12-10-2010 12:02 PM
Hello cadetalain
Waiting for answers Experts
12-15-2010 11:40 AM
Hello Dears,
Can anybody help me for user privileges atleast. I have stuck in this problem from very long time. please have a look on the attached in above mail's
Thanks.
12-15-2010 11:43 AM
Hi,
Maybe you can post debug aaa authorization and debug aaa authentication.
Did you try with local database only? If so did you get same result?
Regards.
Alain.
12-15-2010 12:22 PM
12-16-2010 02:44 AM
Hi,
Maybe it's a stupid question but as I said before I never used ACS appliance but only 4.x on 2k3, didn't you forget to tick checkbox in your last bmp included in your rar file? because I read below that default is enabled if no match.
But I think debug authentication and authorization could be useful.
Regards.
Alain.
12-17-2010 12:33 PM
Hello,
I m trying to login by user cisco with privilege 2 on ACS, privilege level 2 is accepted but not the commands that i have allowed for privilege level 2 in ACS??????
Please help. Below is the output for debug aaa authentication and debug aaa authorization.
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): port='tty2' list='XXX' action=LOGIN service=LOGIN
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): found list XXX
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:42.782: TAC+: send AUTHEN/START packet ver=192 id=689535616
Dec 18 00:22:42.999: TAC+: ver=192 id=689535616 received AUTHEN status = GETUSER
Dec 18 00:22:42.999: AAA/AUTHEN (689535616): status = GETUSER
Dec 18 00:22:47.117: AAA/AUTHEN/CONT (689535616): continue_login (user='(undef)')
Dec 18 00:22:47.117: AAA/AUTHEN (689535616): status = GETUSER
Dec 18 00:22:47.117: AAA/AUTHEN (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:47.117: TAC+: send AUTHEN/CONT packet id=689535616
Dec 18 00:22:47.319: TAC+: ver=192 id=689535616 received AUTHEN status = GETPASS
Dec 18 00:22:47.319: AAA/AUTHEN (689535616): status = GETPASS
Dec 18 00:22:55.220: AAA/AUTHEN/CONT (689535616): continue_login (user='cisco')
Dec 18 00:22:55.220: AAA/AUTHEN (689535616): status = GETPASS
Dec 18 00:22:55.220: AAA/AUTHEN (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:55.220: TAC+: send AUTHEN/CONT packet id=689535616
Dec 18 00:22:55.425: TAC+: ver=192 id=689535616 received AUTHEN status = PASS
Dec 18 00:22:55.425: AAA/AUTHEN (689535616): status = PASS
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): Port='tty2' list='' service=EXEC
Dec 18 00:22:55.427: AAA/AUTHOR/EXEC: tty2 (2575095510) user='cisco'
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): send AV service=shell
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): send AV cmd*
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): found list "default"
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): Method=tacacs+ (tacacs+)
Dec 18 00:22:55.427: AAA/AUTHOR/TAC+: (2575095510): user=cisco
Dec 18 00:22:55.427: AAA/AUTHOR/TAC+: (2575095510): send AV service=shell
Dec 18 00:22:55.430: AAA/AUTHOR/TAC+: (2575095510): send AV cmd*
Dec 18 00:22:55.655: TAC+: (2575095510): received author response status = PASS_ADD
Dec 18 00:22:55.655: AAA/AUTHOR (2575095510): Post authorization status = PASS_ADD
Dec 18 00:22:55.655: AAA/AUTHOR/EXEC: Processing AV service=shell
Dec 18 00:22:55.655: AAA/AUTHOR/EXEC: Processing AV cmd*
Dec 18 00:22:55.658: AAA/AUTHOR/EXEC: Processing AV priv-lvl=2
Dec 18 00:22:55.658: AAA/AUTHOR/EXEC: Authorization successful
12-17-2010 03:17 PM
Hi,
When this happens you have disabled privilege level 15 on line?
Have you put aaa authorization method on line?
Sorry but I don't know if you have changed things since first day.
Regards.
Alain.
12-18-2010 10:28 AM
Hello Alain,
Me too facing the same problem, We need somebody who has played on ACS 5.0 like a game
I have not enabled aaa authorization on line, it is enabled globally on switch with command aaa authorization exec default group tacacs+, When a specific user with privilege level 2 login he is directly placed in Privilege mode of level 2 BUT he is not able to do authorization of the commands what i have enabled for level 2.
Thanks.
12-26-2010 11:25 AM
hello Experts,
Is there nobody who can solve my authorization problem????? pls pls sugggest where i m doing wrong.
Thanks.
12-27-2010 04:12 PM
If you have ACS then It's not recommended to use router local user database. The same way, if you're using "Command Sets" then you shouldn't use "IOS privileges" at all. "IOS privileges" was never a good tool to do authorization, and it's an ancient tool now.
So my recommendation is to delete "privilege" commands from your switch and to leave your "Shell profile" to the defaults. Only use "command sets".
I only use "shell profiles " when using Cisco ACE modules, Cisco Nexus, Cisco CRS or Juniper routers, because they have a different TACACS+ approach than traditional Cisco routers and switches.
Also please upgrade to ACS 5.1 or ACS 5.2, they're far more mature product than ACS 5.0.
By the way, you also mentioned the following
#################
2) I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they are prompted again for enable secret????
#################
I just did a test using ACS 5.1 and Catalyst 6500 and shell profiles with privilege level 15 worked OK without being prompted for enable secret.
01-06-2011 03:06 PM
Hello,
So my recommendation is to delete "privilege" commands from your switch and to leave your "Shell profile" to the defaults. Only use "command sets".
There are no privilege commands on switch only on ACS Once i remove the privilege level the user is not able to move in privilege mode (#) he is exec mode (>)
Also please upgrade to ACS 5.1 or ACS 5.2, they're far more mature product than ACS 5.0
As i have been to install and upgrade guide,it says in Step No 2: Install ACS 5.1 using the recovery DVD. where i will find this recovery DVD.??????
I just did a test using ACS 5.1 and Catalyst 6500 and shell profiles with privilege level 15 worked OK without being prompted for enable secret
Can u send me the steps,what u did,May i m missing something
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide