ACS 5.2 Command Authorization

awatson20 · ‎02-17-2011

We are using command authorization on our ios devices with cisco secure acs 5.2 We have local accounts defined on our gear in the event that the ACS server is unavailable. However, when we test this, we are able to login to the device, but any command issued at that point with the local account is denied. I am sure there is an additional command required. Any ideas?

Yudong Wu · ‎02-17-2011

In your "aaa authorization command" configuration, did you add local as a fallback method?

When you define the local user account on IOS router, did you set privilege to 15?

awatson20 · ‎02-17-2011

Yes. Below is what the configuration looks like.

aaa authentication login default group tacacs+ local
aaa authentication login local_auth local
aaa authorization config-commands
aaa authorization exec default group Admin local if-authenticated
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting exec default start-stop group Admin
aaa accounting network default start-stop group Admin

This is the message I get when I attempt to go in enable mode.

switch>en

% Authorization failed.

switch>

Yudong Wu · ‎02-17-2011

You need change the following commands

aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+

to

aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

when you define the user account on the router, you need add it like the following

user password privilege <-- use 15 as privilege number if you would like to let user to use all commands.