06-05-2008 02:42 AM - edited 03-10-2019 03:53 PM
hi,
I have ACS 4.1 for Windows!!
I am testing Cisco6513 for command authorization for a user.
The problem is that the switch is authorizing the commands which i have denied in ACs for that particular user.
I am attaching the screen shots.
Can any one tell me what i am missing?Does i need to put some some commands in 6513 to enable command authorization in the ACS?
My Switch config for ACS is:
aaa new-model
aaa group server tacacs+ name1
server ACSserver1
!
aaa authentication login default group name1 local
aaa authentication enable default group name1 enable
aaa authorization exec default group name1 if-authenticated
ip http authentication aaa
tacacs-server host ACSserver1
no tacacs-server directed-request
tacacs-server key xxxxx
Solved! Go to Solution.
06-05-2008 04:58 AM
You are missing these commands,
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
Regards,
~JG
Do rate helpful posts
06-05-2008 04:58 AM
You are missing these commands,
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
Regards,
~JG
Do rate helpful posts
06-09-2008 11:18 PM
Hi,
You need to apply these commands for authentication & authorization on the router/switch and ACS server.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+
U can also exclude ur console from AAA --
line con 0
login authentication local_auth
exit
Plz rate it if helpful .....
06-11-2008 06:42 AM
Thanks to both of you..Problem solved!!
06-11-2008 11:10 AM
I have been looking for the command to exclude the console port but haven't found it. Can someone point me in the right direction?
06-11-2008 11:48 AM
For that you need to set up a method list,
Username test privilege 15 password test
aaa new-model
aaa authentication login vty_login group tacacs local
aaa authentication login console_login local
aaa authorization exec vty_login group tacacs local
tacacs-server host
line vty 0 4
login authentication vty_login
line con 0
login authentication console_login
Regards,
~JG
Do rate helpful posts
06-12-2008 09:18 AM
thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide