cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
870
Views
0
Helpful
3
Replies

ACS authorization

abukuru95
Level 3
Level 3

Hi there,

I have an issue with ACS 5.3. i have configured different user groups and different devices., integrated it with active directory and all seems to be working good.

internal users and AD users are successfully authenticated and the authorization policies applied well(read only or full access).

the problem is with a few firewall devices. i have an account with full access to devices but when i connect, i cannot have access to the enable commands.

when i look deep into the logs, i see that the default deny all selected command set is applied as shown in the diagram below.

i cannot find where to associate users to another command set.

i can successfully associate user groups to a shell profile but not a command set. does anybody out there know where this can be done?

thanks in advance

1 Accepted Solution

Accepted Solutions

mauzamor
Level 1
Level 1

Hi there,

If you could send us screenshots of your  Device-Administration/Authorization settings it will be easier to find  the root of the problem.

This could be related to an incorrect Access Policies rules configuration or that when you are connecting with the firewalls you are hitting an Access Policy that doesn't have the Command Sets option enabled, check if your "Device-Administration" rule has the Command Set option enabled:

View solution in original post

3 Replies 3

mauzamor
Level 1
Level 1

Hi there,

If you could send us screenshots of your  Device-Administration/Authorization settings it will be easier to find  the root of the problem.

This could be related to an incorrect Access Policies rules configuration or that when you are connecting with the firewalls you are hitting an Access Policy that doesn't have the Command Sets option enabled, check if your "Device-Administration" rule has the Command Set option enabled:

Hi Mauricio,

i actually just did what you are sending highlighted in red. i added the command set using the customizable button and it is now working.

i guess when a device is configured for authorization, the command set must be included?

any way, thanks for the help and fast reply.

Yep, that's correct. Everytime that you involved Command Authorization in your AAA clients you will need to send back a Command Set back to the client (IOS, firewall, etc.)

Glad I could help, enjoy the weekend!