03-02-2010 05:36 PM - edited 03-10-2019 04:59 PM
Hi
I'm attempting to determine what is causing this error.
when logging into my switch, I am able to authenticate to user mode. However, when i attempt to login to priv exec mode, the authentication fails, and in the ACS log, there is an error that is generated advising "privlege level too high".
I'm not entirely clear what is generating this error. It advises to check the authorization profile, which i did...I attempted adjusting the privlege level from 0 to 15 to no avail...
any suggestions on where to pinpoint where this is coming from?
bruce
Solved! Go to Solution.
03-06-2010 11:32 PM
ACS 5.0 is very different in concept to ACS 4.x
and uses a policy based system to determine handling of requests as opposed to confiuring this as part of the user/group definitions.
There are some materials, including a video, available from the Welcome page of the application.
WRT your specific question, I think the change you need to make is as follows to create a new Shell Profile with "Maximum Privelege Level" of 15
1) Go toAccess Policies > ... > Access Services > Default Device Admin > Authorization
2) Select the check box by row that starts with default and then press Edit
3) Press Select and then Create to create a new shell profile
4) Enter whichever name you desire and then "Common Tasks" tab where set "Maximum Privelege Level" of 15
5) Press "Submit" to create this profile and then OK twice to select this new profile as a result of the policy
6) Finally from "Device Administration Authorization Policy" press "Save Changes" to change the policy to have the result you just created
03-02-2010 10:20 PM
There are two fields in a shell authorization pofile:
Default Privilege: // Defaultprovelege on session
Maximum Privilege: // Maximum privelege that can be assigned to the session (by enable)
Do you know which profile is being used for the session and which values it has for these fields
03-03-2010 04:23 AM
Honestly, no I don't know which profile is being used...I'm not sure how to determine that...
Frankly, I'm not entirely sure what is being used within this configuration...I don't "see" how/where you select options or how they inter-relate with groups or users...
03-06-2010 11:32 PM
ACS 5.0 is very different in concept to ACS 4.x
and uses a policy based system to determine handling of requests as opposed to confiuring this as part of the user/group definitions.
There are some materials, including a video, available from the Welcome page of the application.
WRT your specific question, I think the change you need to make is as follows to create a new Shell Profile with "Maximum Privelege Level" of 15
1) Go toAccess Policies > ... > Access Services > Default Device Admin > Authorization
2) Select the check box by row that starts with default and then press Edit
3) Press Select and then Create to create a new shell profile
4) Enter whichever name you desire and then "Common Tasks" tab where set "Maximum Privelege Level" of 15
5) Press "Submit" to create this profile and then OK twice to select this new profile as a result of the policy
6) Finally from "Device Administration Authorization Policy" press "Save Changes" to change the policy to have the result you just created
03-07-2010 04:20 AM
thanks...
I got it working
I had created the shell profile, but I had not selected the shell profile in my access policy that i created...I was still using the default "Permit Access" shell profile, which of course was a privlege level 1.
thanks for continuing to track my post...
Bruce
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide