07-06-2012 12:00 PM - edited 03-10-2019 07:16 PM
Hi there,
I have an issue with ACS 5.3. i have configured different user groups and different devices., integrated it with active directory and all seems to be working good.
internal users and AD users are successfully authenticated and the authorization policies applied well(read only or full access).
the problem is with a few firewall devices. i have an account with full access to devices but when i connect, i cannot have access to the enable commands.
when i look deep into the logs, i see that the default deny all selected command set is applied as shown in the diagram below.
i cannot find where to associate users to another command set.
i can successfully associate user groups to a shell profile but not a command set. does anybody out there know where this can be done?
thanks in advance
Solved! Go to Solution.
07-06-2012 12:57 PM
Hi there,
If you could send us screenshots of your Device-Administration/Authorization settings it will be easier to find the root of the problem.
This could be related to an incorrect Access Policies rules configuration or that when you are connecting with the firewalls you are hitting an Access Policy that doesn't have the Command Sets option enabled, check if your "Device-Administration" rule has the Command Set option enabled:
07-06-2012 12:57 PM
Hi there,
If you could send us screenshots of your Device-Administration/Authorization settings it will be easier to find the root of the problem.
This could be related to an incorrect Access Policies rules configuration or that when you are connecting with the firewalls you are hitting an Access Policy that doesn't have the Command Sets option enabled, check if your "Device-Administration" rule has the Command Set option enabled:
07-06-2012 01:02 PM
Hi Mauricio,
i actually just did what you are sending highlighted in red. i added the command set using the customizable button and it is now working.
i guess when a device is configured for authorization, the command set must be included?
any way, thanks for the help and fast reply.
07-06-2012 01:07 PM
Yep, that's correct. Everytime that you involved Command Authorization in your AAA clients you will need to send back a Command Set back to the client (IOS, firewall, etc.)
Glad I could help, enjoy the weekend!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide