Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2836
Views
0
Helpful
7
Replies

ACS 5.1 appliance and 3750 Switch

Joseph Dworak
Level 1
Level 1

‎05-18-2010 07:17 AM - edited ‎03-10-2019 05:08 PM

I'm trying to add a 3750 to our new ACS 5.1 appliance for tacacs authorization

Attached is the config I have on the 3750 and a debug.  After I enter this information the enable command and all futher commands say "Command authorization failed."

My ACS has this specific device added to the "Network Devices and AAA clients" area of ACS with a Tacacs shared secret PW the same as my Key on the 3750.

Labels:
64718-config and debug.txt.zip
0 Helpful
7 Replies 7

Javier Henderson
Level 4
Level 4

‎05-18-2010 10:04 AM

What is ACS reporting as the reason to fail the authorization?

0 Helpful

Joseph Dworak
Level 1
Level 1
In response to Javier Henderson

‎05-18-2010 11:01 AM

ACS report and monitor shows my account :

Status:

Passed

Failure Reason:

Logged At:

May 18, 2010 12:58 PM

ACS Time:

May 18, 2010 12:58 PM

ACS Instance:

NAWDM1ACS-A01-DC03

Authentication Method:

PAP_ASCII

Authentication Type:

ASCII

Privilege Level:

1

User

Username:

abc123

When I type enable or any other command it says:

Command authorization failed.
0 Helpful

Chetan Kumar Ress
Level 4
Level 4
In response to Joseph Dworak

‎05-18-2010 12:01 PM

As you mention you are able to login but You are not able to get authorized for enable & config .

Did you setup ACS for authorization ?

Please let us know the so can come with solution

0 Helpful

Javier Henderson
Level 4
Level 4
In response to Joseph Dworak

‎05-18-2010 12:09 PM

That is the authentication report. Please look in the authorization report.

0 Helpful

Chetan Kumar Ress
Level 4
Level 4
In response to Javier Henderson

‎05-18-2010 12:20 PM

I recommend you to modify the AAA command to Support Authorization & In ACS configure user privilege to 15 &

Give authorization of config terminal

aaa authentication login default group TACACS

aaa authentication enable default group TACACS

aaa authorization exec default group TACACS

aaa authorization config-commands

aaa authorization commands 0 default group TACACS

aaa authorization commands 1 default group TACACS

aaa authorization commands 5 default group TACACS

aaa authorization commands 15 default group TACACS

aaa accounting default group TACACS

0 Helpful

Joseph Dworak
Level 1
Level 1
In response to Chetan Kumar Ress

‎05-18-2010 12:50 PM

I'm getting closer:  THANK YOU FOR ALL YOUR HELP SO FAR!!!!  I'm sending this but also looking into the failure reason.  I'm a n00b at this version . . . working to get off a Win Radius . . .

Here is the latest authorization report:

Status:

Failed

Failure Reason:

13025 Command failed to match a Permit rule

Logged At:

May 18, 2010 2:42 PM

ACS Time:

May 18, 2010 2:42 PM

ACS Instance:

NAWDM1ACS-A01-DC03

Authentication Method:

None

Authentication Type:

Header Privilege Level:

0

Command Set:

[ CmdAV=enable  ]

User

User Name:

abc123

Remote Address:

Network Device

Network Device Name:

TestPrintroom3750

Netwok Device Group:

Device Type:All Device Types:Switches:West, Location:All Locations

Device IP Address:

10.32.128.9

Access Policy

Access Service:

Default Device Admin

Identity Store:

Selected Shell Profile:

Matched Command Set:

Selected Command Set:

DenyAllCommands

Active Directory Domain:

Identity Group:

All Groups:Administrators:NetEng

Access Service Selection Matched Rule:

Rule-2

Identity Policy Matched Rule:

Default

Selected Identity Stores:

Query Identity Stores:

Selected Query Identity Store:

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:

NetEng

Authorization Exception Policy Matched Rule:

Other

ACS Session ID:

NAWDM1ACS-A01-DC03/63492254/359

Author Reply Status:

Other Attributes:

ACSVersion=acs-5.1.0.44-B.2347
ConfigVersionId=38
Device Port=22378
Protocol=Tacacs
Type=Authorization
Service=None
Port=tty1
Remote-Address=10.32.128.26
Service-Argument=shell
AuthenticationIdentityStore=Internal Users
AuthenticationMethod=Lookup
SelectedAuthenticationIdentityStores=Internal Users
UserIdentityGroup=IdentityGroup:All Groups:Administrators:NetEng
0 Helpful

Chetan Kumar Ress
Level 4
Level 4
In response to Joseph Dworak

‎05-19-2010 05:02 AM

Dear Joseph

Configuring AAA  with ACS is not so complicated.

Please follow the below steps :

1] Create Loopback Add in router for Management & Communication with ACS Server.

2] Add loopback address in ACS server with Pre-Shared Key with TACACS+ protocol & check mark frist option. ( As below you can see some option that you need to select or check mark)

3] If you are using loopback address then user ip tacacs source interface looback(number)

4] Configure AAA In router but after adding the loopback Ip address in ACS that you had configured in router for management.

5] Create a group in ACS for different privilege access & in that group you can see authorization section , were you need to give authorization with initial   command.

For Example : Create an group and give privilege access of level 15 & in authorization section give command conf t and add in permit list.

And as you shared tha AAA command , I Personaly not recommend to use that one becasue it will not work when your ACS server will fail.

With TACACS group add local also , So if ACS will fail then you can login with local user.

Regards

Chetan kumar

0 Helpful
Customers Also Viewed These Support Documents