09-06-2010 01:13 AM - edited 03-10-2019 05:23 PM
Hi All,
Its a Cisco Acs 1120 device having version 5.0.
I have cerated three basic user group which having privillage leve 15,10 and 1 on ACS Tacacs+.
My configuration for AAA on Switch is as follows
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ loca
!
!
ip tacacs source-interface Vlan1
!
!
tacacs-server host **** single-connection
tacacs-server directed-request
but I am getting error while login from that spacific user which I have created but getting errror as
"commond authorization failed "
Plz let me know if any one have solution on this or any more information required for this..
09-12-2010 04:55 AM
09-12-2010 04:56 AM
07-09-2013 12:55 AM
Hi Pranav,
Any resolution on the same as i am also facing the same issue.
Regards,
Ranjit
07-09-2013 01:36 AM
Hi Pranav and Ranjit ,
Lets start fresh on this .
The configuration on switch is ok .
We first need to differentiate if we want to restrict commands based on different user groups on ACS or we just want to differentiate privilege levels .
The simplest way to do it is that on ACS we create different authorization rules for different groups with a shell profile of privilege 15 in every rule and differentiate on command sets .
With this implementation every user no matter which group they belong to will land on the switch with privilege 15 but will have differentiated access based on command sets .
Basic Concept :: when we use default as method list we do not need to apply the same going individually on the vty lines .
example : aaa authentication login default group tacacs+ local .
Look forward to hear from you .
Regards ,
Tushar Gaba .
07-09-2013 07:39 PM
Hello,
Just to know have you have you associated network group with the user group? and have you enabled command set?
07-10-2013 01:24 AM
Hi Tushar & Mantej,
The issue of authorization has been resolved now and i am able to define 3 different groups with corresponding access priviledges. Same has been mapped in shell profiles and command sets.
Now as per my requirement my 1 User in particular location (NDG) should not get access to other region or NDG, i am not able to achieve this.
waiting to hear from you all
Regards,
Ranjit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide