(Also posted in network management)

We are running the latest version of ACS, VMS and Cisco Works. The problem that we are having is that we can authenticate off of the ACS server but when we try to edit anything on the VMS it states that we do not have the appropriate permissions to edit.

I have it set up for both users and the group to have System Admin rights in the ACS under the registered services. I can see in the ACS logs that the user authenticates using TACACS+ and logs into the service but then fails to get authorization to edit the settings. There is no error or failed authorization attempt in the failed attempts log on the ACS.

If I remove permissions by checking “none” in the user setup on the ACS in the failed attempts log it generates a:

“Author failed

service=idscfg authorize-device=172.30.xxx.xxx cmd*admin_modify”

“Author failed

service=idscfg authorize-device=172.30.xxx.xxx cmd*deployment_view cmd*deployment_deploy cmd*deployment_approve cmd*deployment_generate”

The TACACS+ Administration logs show:

reyxxxxx xxx users Login 1 idscfg

If I give them System Admin rights in the ACS I get the same TACACS+ administration log entry but NO entries in the Failed Attempts log. The VMS then say that the user does not have the appropriate permissions to edit the group. Would it not have the same Failed Attempt log entry if it was failing to get authorization from ACS?

Any advice?