cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1563
Views
0
Helpful
4
Replies

ACS 5.3 and Command Auth

Patrick Connor
Level 1
Level 1

I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 

I still get no joy.   Also Cisco changed the GUI and the way command sets are built

(http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )

Any help would be appreciated

Patrick Connor

1 Accepted Solution

Accepted Solutions

Patrick,

Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).

https://supportforums.cisco.com/docs/DOC-26768

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Patrick,

Can you please post a screenshot of the authorization rule, and the command set that you configured?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.

I created 2 command sets

Pri-15  has only the permit all command not in the table below check box checked

Pri-1  has a single permit "show"  with no arguments

the Auth rule has 2 rules

rule 1  identity group "network Admin"  any any any pri-15

rule 2 identity group "network monitor" any any any pri-1

service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98

the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 

So it looks like the command set is not being recognized.  but I cannot see why?

Thanks,

Pat 

Patrick,

Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).

https://supportforums.cisco.com/docs/DOC-26768

Thanks,

Tarik Admani
*Please rate helpful posts*

It was not enabled.  Thank you very much for the assistance.  I have added the "commnad Set" to the customized Results and will test.