Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
1
Replies

Authorization issues.

jlhainy
Level 2
Level 2

‎06-14-2004 04:22 AM - edited ‎03-10-2019 07:52 AM

I have an ACS 3.2.3 server, trying to get authorization working. I have 2 device groups and 2 user groups. I want user group 1 to have full enable access to both device groups, but user group 2 to have only enable access to device group 2. User group 1 should not have any access to enable mode with any devices in device group 1. I have this working on an HP switch, but not Cisco switches or routers, thus I am thinking there is an issue in my Cisco device config.

I have enabled aaa debug and see the following:

21:43:57: AAA/AUTHOR/EXEC: tty1 (1938241420) user='jaredh'

21:43:57: tty1 AAA/AUTHOR/EXEC (1938241420): send AV service=shell

21:43:57: tty1 AAA/AUTHOR/EXEC (1938241420): send AV cmd*

21:43:57: tty1 AAA/AUTHOR/EXEC (1938241420): found list "default"

21:43:57: tty1 AAA/AUTHOR/EXEC (1938241420): Method=tacacs+ (tacacs+)

21:43:57: AAA/AUTHOR/TAC+: (1938241420): user=jaredh

21:43:57: AAA/AUTHOR/TAC+: (1938241420): send AV service=shell

21:43:57: AAA/AUTHOR/TAC+: (1938241420): send AV cmd*

21:43:57: AAA/AUTHOR (1938241420): Post authorization status = FAIL

21:43:57: AAA/AUTHOR/EXEC: Authorization FAILED

21:43:59: AAA/MEMORY: free_user (0x80D2D8D4) user='jaredh' ruser='' port='tty1'

rem_addr='205.124.63.186' authen_type=ASCII service=LOGIN priv=1

On the ACS box, the log reports: Service denied service=shell cmd*

Any assistance would be appreciated.

Jared

Labels:
0 Helpful
1 Reply 1

jlhainy
Level 2
Level 2

‎06-14-2004 04:59 AM

Never mind. I think I have it figured out. But on another note, has any one been successful it using a external nds database?

0 Helpful
Customers Also Viewed These Support Documents