Authorization in ACS 5.2 - Page 2

marcelnjkoks · ‎07-12-2011

In ACS 5.2, when i add custom a shell profile to a rule in an authorization policy (used in a TACAS access service) it seems to be skipped.

I can see the rule is hit because the hitcount number increases (it hits because of the group id), and when i set the shell profile to deny access (as test), access is actually rejected. So i know the rule is hit, but anything i put in my custom shell profile at the common tasks tab (like an auto command or default/maximum privilege level) is not used.

The same goes for commands sets. When i add the set 'deny all commands' the user is still able to exceute all commands, although the rule is hit based on the group ID the user belongs to.

I must be doing something wrong, but i can't find my mistake.

edwardwaithaka · ‎07-18-2011

Hi Marc,

I resolved my issue. Apparently it was an issue with my AAA configs on the router/switch side.

It is now working perfect.

Please send me the version 5 patch in the meantime.

My configs are as below;

aaa new-model
!
!
aaa group server tacacs+ AAA_CLUSTER
server x.x.1.6
server x.x.1.7
!
aaa authentication login AUTH_E group AAA_CLUSTER local
aaa authorization console
aaa authorization exec default group AAA_CLUSTER none
aaa authorization commands 0 default group AAA_CLUSTER local
aaa authorization commands 15 default group AAA_CLUSTER local

ip tacacs source-interface Loopback100
tacacs-server host x.x.1.6 key MyKey
tacacs-server host x.x.1.7 key MyKey

line con 0
exec-timeout 0 0
logging synchronous
login authentication AUTH_E
line aux 0
line vty 0 4
login authentication AUTH_E
line vty 5 15
login authentication AUTH_E
!

marcelnjkoks · ‎08-08-2011

Got it to work today.

Apparently i had to put my authorization command on the VTY as well.

Looks a little strange, but it works.