Dears
I configures ASA to authenticated any ftp , tftp , telnet traffic passing through to outside server and router but i want to authorize specific user to access TELNET to outside router and another to access SMTP server , how to do so this via tacacs , i tried to configure the ACS user as below
USER1

USER2
peruser command authorization :checked
Unmatched Cisco IOS commands : deny
command:checked
TCP/25
unlisted atgument : permit
and the ASA as below
access-list AP extended permit tcp any any eq smtp
access-list AP extended permit tcp any any eq telnet
access-list AUTH extended permit tcp any any eq telnet
access-list AUTH extended permit udp any any eq tftp
access-list AUTH extended permit tcp any any eq ftp
aaa authentication match AUTH inside TAC
aaa authorization match AP inside TAC
virtual http 10.22.22.5
virtual telnet 10.22.22.5
but since i used authorization with these ACS settings for USER1 and USER2 and when i telnet to the virtual telnet to authenticate i get "AUTHORIZATION DENIED" but the asa show uauath as below
Rack1ASA1(config)# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 2
user 'user1' at 11.11.11.200, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
the overall result the TELNET and SMTP are not authorized
when i set Unmatched Cisco IOS commands :permit it authorize everything even if its not permitted on the ACS as below
Rack1ASA1(config)# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 2
user 'user2' at 11.11.11.200, authorized to:
port 10.22.22.5/telnet 10.0.0.100/tcp/25 10.0.0.100/http
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
thank you for your cooperation