cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4039
Views
9
Helpful
4
Replies

ACS 5.2 - Command set is empty "[ CmdAV= ]"

brunosredes
Level 1
Level 1

Hello,

I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.

The test cenary is this:

  • ACS 5.2
  • Router 2900 family IOS 15.0

The ACS is configured with:

Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).

The router is configured with the follows commands:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization commands 5 default group tacacs+

aaa authorization commands 10 default group tacacs+

aaa authorization configuration default group tacacs+

aaa session-id common

tacacs-server host xxxxxxxxxxx

tacacs-server key xxxxxxxxxxx

Troubleshoot:

  • In the reports (AAA Protocol > TACACS+ Authorization) the term "[ CmdAV= ]" is empty, no item was selected;

aaa log.png

  • In the router the privilege level is loaded, only the command set aren't:
    • Router#show privilege
    • Current privilege level is 15
  • debug aaa authorization:
    • Jan 16 12:56:28.549: AAA/BIND(000000F2): Bind i/f
    • Jan 16 12:56:30.317: AAA/AUTHOR (0xF2): Pick method list 'default'
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV cmd=
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV priv-lvl=5
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): Authorization successful

Can anyone help me please?

Sorry for my english,

Thanks,