cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1330
Views
0
Helpful
4
Replies

Howto configure reverse-access authorization on ACS Win4.1

wagnerch
Level 1
Level 1

Hi,

I have some routers with modem-stuff and like to make reverse-access authorization.

Router-Cfg:

aaa authorization reverse-access default group tacacs+

worked under CSU with service=raccess {}

But I get errors when I try this under ACS Win 4.1.

Router-Message

% Authorization failed.

ACS-Message:

11/06/2007 16:28:14 Author failed xuseridx Shelluser-Grp 10.1.2.YYY (Default) .. Service denied service=raccess tty34 10.1.2.ZZZ .. .. .. .. .. others ..

Anybody who has an idea if and how this is possible?

Kind Regards,

Chris

4 Replies 4

vkapoor5
Level 5
Level 5

I think it might ask for a password OR username/password for authentication or authorizatation. Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the scalability and manageability required to set authorization restrictions.

In ACS, the default command authorization sets include Shell Command Authorization Sets and PIX Command Authorization Sets. Cisco device management applications, such as CiscoWorks Management Center for Firewalls, can instruct ACS to support additional command authorization set types.

thanks - I already got a detailed answer from cisco.

Introduction of a new Service - raccess did it.

Thanks.

jhillend
Level 1
Level 1

You need to add raccess to the TACACS interface in ACS.

1) Under Interface Configuration > TACACS+ (Cisco IOS) add a raccess by clicking either the User box or the group Box (or both) under New Services.

2) In the box under Service add raccess, then click Submit.

3) Now you will see raccess under TACACS+ in either the user configuration or group configuration as you selected before. Check the box next to raccess and click Submit or Submit + Restart as appropriate.

Thanks Jeff,

I already got your detailed information from your colleague at Cisco (Markus K.)

And it works.

Maybe you can also help me for:

Security / AAA / Restrict User to specific NAS if only default NAS profile is configured

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbe7e71