Hello,
I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.
The test cenary is this:
- ACS 5.2
- Router 2900 family IOS 15.0
The ACS is configured with:
Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).
The router is configured with the follows commands:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 5 default group tacacs+
aaa authorization commands 10 default group tacacs+
aaa authorization configuration default group tacacs+
aaa session-id common
tacacs-server host xxxxxxxxxxx
tacacs-server key xxxxxxxxxxx
Troubleshoot:
- In the reports (AAA Protocol > TACACS+ Authorization) the term "[ CmdAV= ]" is empty, no item was selected;
- In the router the privilege level is loaded, only the command set aren't:
- Router#show privilege
- Current privilege level is 15
- debug aaa authorization:
- Jan 16 12:56:28.549: AAA/BIND(000000F2): Bind i/f
- Jan 16 12:56:30.317: AAA/AUTHOR (0xF2): Pick method list 'default'
- Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV cmd=
- Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV priv-lvl=5
- Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): Authorization successful
Can anyone help me please?
Sorry for my english,
Thanks,