I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
Here are the AAA settings on the switch
aaa authentication login listASH group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listASH group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
tacacs-server host 10.1.2.212
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>
line vty 0 4
access-class vty-access in
logging synchronous level all
login authentication listASH
transport input ssh
Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.