Solved: ACS 5.2 command set policy not working on Console!!

kapildev.bhatnagar · ‎11-28-2012

Hello,

I configure my Cisco ACS5.2 using Command set policy and providing Shell access 15.

I allow user only “show * ” command.

It works fine with Telnet. User Group cannot execute any command apart from “Show * ”

But when I connect the device using Console user group has full permission on the devices.

I believe Command set policy is not working on Console.

Please help to understand Is it normal behavior or do I need to update some changes in ACS or Network devices ?

My network device configuration is as below :

------------------------------------------------------------------------------

tacacs-server host 10.x.x.x key test123

tacacs-server host 10.y.y.y key test123

tacacs-server timeout 1

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

--------------------------------------------------------------------

mauzamor · ‎11-29-2012

Hi Kapildev,

By default "authorization" doesn't affect the console port, you will have to enter "aaa authorization console" to get the same behavior in the serial/console port than in your SSH/Telnet connection.

Give it a try and let me know how it goes.

View solution in original post

mauzamor · ‎11-29-2012

Hi Kapildev,

By default "authorization" doesn't affect the console port, you will have to enter "aaa authorization console" to get the same behavior in the serial/console port than in your SSH/Telnet connection.

Give it a try and let me know how it goes.