Hello,

I want to all  the below  commands

privilege exec level 2 undebug all
privilege exec all level 2 debug

1. i want to configure in ACS,I have routed to Policy elements>Device Administration>Command Set and i have created it and i have assigned a command set to identity group but the users are not able to execute these commands????? Please have a look in the attached.
   

2)     I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they         are prompted again for enable secret????

Thanks

Hi,

2)     I have created a shell profile with privi level 15 but user are 
prompt to type enable secret password, when they are in privi level 15 
then why they         are prompted again for enable secret????

I found the answer for this question here on this forum:  https://supportforums.cisco.com/message/621198

Regards.

Hello cadetalain

• Thanks for effort for providing me the link, but unfortunately the solution doen't work for me,Strange the user with privilege 2 is placed in privilege exec   level 2 (Switch#) mode but user who try to login by privilege 15 they are place in user exec mode.

• Also the command authorization is not working for privilege level 2 users???

Waiting for answers Experts

Hello Dears,

Can anybody help me for user privileges atleast. I have stuck in this problem from very long time. please have a look on the attached in above mail's

Thanks.

Hello,

With local authentication and authorization it is very fine, but when i remove command from switch to do authentication and authorization it does'nt.work with ACS server.

Thanks

Hi,

Maybe it's a stupid question but as I said before I never used ACS appliance but only 4.x on 2k3, didn't you forget to tick checkbox in your last bmp included in your rar file? because I read below that default is enabled if no match.

But I think  debug authentication and authorization could be useful.

Regards.

Alain.

Hello,

I m trying to login by user cisco with privilege 2 on ACS, privilege level 2  is accepted but not the commands that i have allowed for privilege level 2 in ACS??????

Please help. Below is the output for debug aaa authentication and debug aaa authorization.

Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): port='tty2' list='XXX' action=LOGIN service=LOGIN
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): found list XXX
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:42.782: TAC+: send AUTHEN/START packet ver=192 id=689535616
Dec 18 00:22:42.999: TAC+: ver=192 id=689535616 received AUTHEN status = GETUSER
Dec 18 00:22:42.999: AAA/AUTHEN (689535616): status = GETUSER
Dec 18 00:22:47.117: AAA/AUTHEN/CONT (689535616): continue_login (user='(undef)')
Dec 18 00:22:47.117: AAA/AUTHEN (689535616): status = GETUSER
Dec 18 00:22:47.117: AAA/AUTHEN (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:47.117: TAC+: send AUTHEN/CONT packet id=689535616
Dec 18 00:22:47.319: TAC+: ver=192 id=689535616 received AUTHEN status = GETPASS
Dec 18 00:22:47.319: AAA/AUTHEN (689535616): status = GETPASS
Dec 18 00:22:55.220: AAA/AUTHEN/CONT (689535616): continue_login (user='cisco')
Dec 18 00:22:55.220: AAA/AUTHEN (689535616): status = GETPASS
Dec 18 00:22:55.220: AAA/AUTHEN (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:55.220: TAC+: send AUTHEN/CONT packet id=689535616
Dec 18 00:22:55.425: TAC+: ver=192 id=689535616 received AUTHEN status = PASS
Dec 18 00:22:55.425: AAA/AUTHEN (689535616): status = PASS
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): Port='tty2' list='' service=EXEC
Dec 18 00:22:55.427: AAA/AUTHOR/EXEC: tty2 (2575095510) user='cisco'
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): send AV service=shell
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): send AV cmd*
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): found list "default"
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): Method=tacacs+ (tacacs+)
Dec 18 00:22:55.427: AAA/AUTHOR/TAC+: (2575095510): user=cisco
Dec 18 00:22:55.427: AAA/AUTHOR/TAC+: (2575095510): send AV service=shell
Dec 18 00:22:55.430: AAA/AUTHOR/TAC+: (2575095510): send AV cmd*
Dec 18 00:22:55.655: TAC+: (2575095510): received author response status = PASS_ADD
Dec 18 00:22:55.655: AAA/AUTHOR (2575095510): Post authorization status = PASS_ADD
Dec 18 00:22:55.655: AAA/AUTHOR/EXEC: Processing AV service=shell
Dec 18 00:22:55.655: AAA/AUTHOR/EXEC: Processing AV cmd*
Dec 18 00:22:55.658: AAA/AUTHOR/EXEC: Processing AV priv-lvl=2
Dec 18 00:22:55.658: AAA/AUTHOR/EXEC: Authorization successful

Hi,

When this happens you have disabled privilege level 15 on line?

Have you put aaa authorization method on line?

Sorry but I don't know if you have changed things since first day.

Regards.

Alain.

Hello Alain,

Me too facing the same problem, We need somebody who has played  on ACS 5.0 like a game

I have not enabled aaa authorization on line, it is enabled globally on switch with command aaa authorization exec default group tacacs+, When a specific user with privilege level 2 login he is directly placed in Privilege mode of level 2 BUT he is not able to do authorization of the commands what i have enabled for level 2.

Thanks.

hello Experts,

Is there nobody who can solve my authorization problem????? pls pls sugggest where i m doing wrong.

Thanks.

If you have ACS then It's not recommended to use router local user database. The same way, if you're using "Command Sets" then you shouldn't use "IOS privileges" at all.  "IOS privileges" was never a good tool to do authorization, and it's an ancient tool now.

So my recommendation is to delete "privilege" commands from your switch and to leave your "Shell profile" to the defaults. Only use "command sets".

I only use "shell profiles " when using Cisco ACE modules, Cisco Nexus, Cisco CRS or Juniper routers, because they have a different TACACS+ approach than traditional Cisco routers and switches.

Also please upgrade to ACS 5.1 or ACS 5.2, they're far more mature product than ACS 5.0.

By the way, you also mentioned the following

#################

2)     I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they         are prompted again for enable secret????

#################

I just did a test using ACS 5.1 and Catalyst 6500 and shell profiles with privilege level 15 worked OK without being prompted for enable secret.

Hello,

So my recommendation is to delete "privilege" commands from your switch and to leave your "Shell profile" to the defaults. Only use "command sets".

There are no privilege commands on switch only on ACS Once i remove the privilege level  the user is not able to move in privilege mode (#) he is exec mode (>)

Also please upgrade to ACS 5.1 or ACS 5.2, they're far more mature product than ACS 5.0

As i have been to install and upgrade guide,it says in Step  No 2: Install ACS 5.1 using the recovery DVD. where i will find this recovery DVD.??????

I just did a test using ACS 5.1 and Catalyst 6500 and shell profiles with privilege level 15 worked OK without being prompted for enable secret

Can u send me the steps,what u did,May i m missing something