Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4012
Views
9
Helpful
4
Replies

ACS 5.2 - Command set is empty "[ CmdAV= ]"

Go to solution
brunosredes
Level 1
Level 1

‎01-16-2012 05:39 AM - edited ‎03-10-2019 06:43 PM

Hello,

I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.

The test cenary is this:

  • ACS 5.2
  • Router 2900 family IOS 15.0

The ACS is configured with:

Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).

The router is configured with the follows commands:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization commands 5 default group tacacs+

aaa authorization commands 10 default group tacacs+

aaa authorization configuration default group tacacs+

aaa session-id common

tacacs-server host xxxxxxxxxxx

tacacs-server key xxxxxxxxxxx

Troubleshoot:

  • In the reports (AAA Protocol > TACACS+ Authorization) the term "[ CmdAV= ]" is empty, no item was selected;

aaa log.png

  • In the router the privilege level is loaded, only the command set aren't:
    • Router#show privilege
    • Current privilege level is 15
  • debug aaa authorization:
    • Jan 16 12:56:28.549: AAA/BIND(000000F2): Bind i/f
    • Jan 16 12:56:30.317: AAA/AUTHOR (0xF2): Pick method list 'default'
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV cmd=
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV priv-lvl=5
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): Authorization successful

Can anyone help me please?

Sorry for my english,

Thanks,

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zhenningx
Level 4
Level 4
In response to brunosredes

‎01-16-2012 07:45 AM

No I don't think it can be automatically loaded from ACS.

Instead of giving users priv level 5, you can give priv level 15 then you don't have to configure privilege commands on the router, because all commands are available to priv level 15 at the router. So you only need to configure commands set on ACS.

zhenning

View solution in original post

4 Replies 4

Go to solution
zhenningx
Level 4
Level 4

‎01-16-2012 06:48 AM

If you assign user priv level 5, you should add allowed commands to priv level 5 at the router using the 'privilege' commands. If the command is not permitted for priv level 5 at the router, the router will not ask ACS for command authorization.

Pls rate the post if it is helpful.

Zhenning

Go to solution
brunosredes
Level 1
Level 1
In response to zhenningx

‎01-16-2012 07:24 AM

Ok. I did understand, but is there any way of automaticaly load this from ACS?

Thanks,

0 Helpful

Go to solution
zhenningx
Level 4
Level 4
In response to brunosredes

‎01-16-2012 07:45 AM

No I don't think it can be automatically loaded from ACS.

Instead of giving users priv level 5, you can give priv level 15 then you don't have to configure privilege commands on the router, because all commands are available to priv level 15 at the router. So you only need to configure commands set on ACS.

zhenning

Go to solution
brunosredes
Level 1
Level 1
In response to zhenningx

‎01-16-2012 09:02 AM

Thank you. I liked the idea and will do so.

0 Helpful
Customers Also Viewed These Support Documents