command authorization failed ACS 5.6

Colin Higgins · ‎01-07-2015

I have a new ACS 5.6 appliance set up that uses Active Directory authentication.

I created a shell profile, mapped it to the authorization rule, and then added devices to the system.

The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).

The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.

Here are the AAA settings on the switch

aaa authentication login listASH group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listASH group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host 10.1.2.212
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

line vty 0 4
access-class vty-access in
logging synchronous level all
login authentication listASH
transport input ssh

Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.

nspasov · ‎01-07-2015

Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?

debug aaa authentication
debug aaa authorization
debug tacacs authorization

Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.

Thank you for rating helpful posts!