Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3980
Views
0
Helpful
20
Replies

ACS 5.0 geting error "authorization command failed"

Pranav Gade
Level 1
Level 1

‎09-06-2010 01:13 AM - edited ‎03-10-2019 05:23 PM

Hi All,

Its a Cisco Acs 1120 device having version 5.0.

I have cerated three basic user group which having privillage leve 15,10 and 1 on ACS Tacacs+.

My configuration for AAA on Switch is as follows

aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ loca

!

!

ip tacacs source-interface Vlan1
!
!
tacacs-server host **** single-connection
tacacs-server directed-request

but I am getting error while login from that spacific user which I have created but getting errror as

"commond authorization failed "

Plz let me know if any one have solution on this or any more information required for this..

Labels:
0 Helpful
20 Replies 20

Pranav Gade
Level 1
Level 1
In response to Pranav Gade

‎09-12-2010 04:55 AM

fyi...

Preview file
274 KB
0 Helpful

Pranav Gade
Level 1
Level 1
In response to Pranav Gade

‎09-12-2010 04:56 AM

fyi...

Preview file
263 KB
0 Helpful

ranjit123
Level 3
Level 3
In response to Pranav Gade

‎07-09-2013 12:55 AM

Hi Pranav,

Any resolution on the same as i am also facing the same issue.

Regards,

Ranjit

0 Helpful

Tushar Gaba
Cisco Employee
Cisco Employee
In response to ranjit123

‎07-09-2013 01:36 AM

Hi Pranav and Ranjit ,

Lets start fresh on this .

The configuration on switch is ok .

We first need to differentiate if we want to restrict commands based on different user groups on ACS or we just want to differentiate privilege levels .

The simplest way to do it is that on ACS we create different authorization rules for different groups with a shell profile of privilege 15 in every rule and differentiate on command sets .

With this implementation every user no matter which group they belong to will land on the switch with privilege 15 but will have differentiated access based on command sets .

Basic Concept :: when we use default as method list we do not need to apply the same going individually on the vty lines .

example : aaa authentication login default group tacacs+ local .

Look forward to hear from you .

Regards ,

Tushar Gaba .

0 Helpful

mmangat
Level 1
Level 1

‎07-09-2013 07:39 PM

Hello,

Just to know have you have you associated network group with the user group? and have you enabled  command set?

0 Helpful

ranjit123
Level 3
Level 3
In response to mmangat

‎07-10-2013 01:24 AM

Hi Tushar & Mantej,

The issue of authorization has been resolved now and i am able to define 3 different groups with corresponding access priviledges. Same has been mapped in shell profiles and command sets.

Now as per my requirement my 1 User in particular location (NDG) should not get access to other region or NDG, i am not able to achieve this.

waiting to hear from you all

Regards,

Ranjit

0 Helpful
Customers Also Viewed These Support Documents