cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

987
Views
0
Helpful
4
Replies
Highlighted
Beginner

ACS 5.3 and Command Auth

I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 

I still get no joy.   Also Cisco changed the GUI and the way command sets are built

(http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )

Any help would be appreciated

Patrick Connor

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Patrick,

Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).

https://supportforums.cisco.com/docs/DOC-26768

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

4 REPLIES 4
Highlighted
Advocate

Patrick,

Can you please post a screenshot of the authorization rule, and the command set that you configured?

Thanks,

Tarik Admani
*Please rate helpful posts*

Highlighted

Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.

I created 2 command sets

Pri-15  has only the permit all command not in the table below check box checked

Pri-1  has a single permit "show"  with no arguments

the Auth rule has 2 rules

rule 1  identity group "network Admin"  any any any pri-15

rule 2 identity group "network monitor" any any any pri-1

service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98

the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 

So it looks like the command set is not being recognized.  but I cannot see why?

Thanks,

Pat 

Highlighted

Patrick,

Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).

https://supportforums.cisco.com/docs/DOC-26768

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted

It was not enabled.  Thank you very much for the assistance.  I have added the "commnad Set" to the customized Results and will test.