cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2531
Views
9
Helpful
4
Replies
Highlighted
Beginner

ACS 5.2 - Command set is empty "[ CmdAV= ]"

Hello,

I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.

The test cenary is this:

  • ACS 5.2
  • Router 2900 family IOS 15.0

The ACS is configured with:

Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).

The router is configured with the follows commands:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization commands 5 default group tacacs+

aaa authorization commands 10 default group tacacs+

aaa authorization configuration default group tacacs+

aaa session-id common

tacacs-server host xxxxxxxxxxx

tacacs-server key xxxxxxxxxxx

Troubleshoot:

  • In the reports (AAA Protocol > TACACS+ Authorization) the term "[ CmdAV= ]" is empty, no item was selected;

aaa log.png

  • In the router the privilege level is loaded, only the command set aren't:
    • Router#show privilege
    • Current privilege level is 15
  • debug aaa authorization:
    • Jan 16 12:56:28.549: AAA/BIND(000000F2): Bind i/f
    • Jan 16 12:56:30.317: AAA/AUTHOR (0xF2): Pick method list 'default'
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV cmd=
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV priv-lvl=5
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): Authorization successful

Can anyone help me please?

Sorry for my english,

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

No I don't think it can be automatically loaded from ACS.

Instead of giving users priv level 5, you can give priv level 15 then you don't have to configure privilege commands on the router, because all commands are available to priv level 15 at the router. So you only need to configure commands set on ACS.

zhenning

View solution in original post

4 REPLIES 4
Highlighted
Enthusiast

If you assign user priv level 5, you should add allowed commands to priv level 5 at the router using the 'privilege' commands. If the command is not permitted for priv level 5 at the router, the router will not ask ACS for command authorization.

Pls rate the post if it is helpful.

Zhenning

Highlighted

Ok. I did understand, but is there any way of automaticaly load this from ACS?

Thanks,

Highlighted

No I don't think it can be automatically loaded from ACS.

Instead of giving users priv level 5, you can give priv level 15 then you don't have to configure privilege commands on the router, because all commands are available to priv level 15 at the router. So you only need to configure commands set on ACS.

zhenning

View solution in original post

Highlighted

Thank you. I liked the idea and will do so.