11-09-2007 08:29 AM - edited 03-10-2019 03:30 PM
Hi,
I have some routers with modem-stuff and like to make reverse-access authorization.
Router-Cfg:
aaa authorization reverse-access default group tacacs+
worked under CSU with service=raccess {}
But I get errors when I try this under ACS Win 4.1.
Router-Message
% Authorization failed.
ACS-Message:
11/06/2007 16:28:14 Author failed xuseridx Shelluser-Grp 10.1.2.YYY (Default) .. Service denied service=raccess tty34 10.1.2.ZZZ .. .. .. .. .. others ..
Anybody who has an idea if and how this is possible?
Kind Regards,
Chris
11-15-2007 10:52 AM
I think it might ask for a password OR username/password for authentication or authorizatation. Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the scalability and manageability required to set authorization restrictions.
In ACS, the default command authorization sets include Shell Command Authorization Sets and PIX Command Authorization Sets. Cisco device management applications, such as CiscoWorks Management Center for Firewalls, can instruct ACS to support additional command authorization set types.
11-15-2007 09:37 PM
thanks - I already got a detailed answer from cisco.
Introduction of a new Service - raccess did it.
Thanks.
11-16-2007 04:44 PM
You need to add raccess to the TACACS interface in ACS.
1) Under Interface Configuration > TACACS+ (Cisco IOS) add a raccess by clicking either the User box or the group Box (or both) under New Services.
2) In the box under Service add raccess, then click Submit.
3) Now you will see raccess under TACACS+ in either the user configuration or group configuration as you selected before. Check the box next to raccess and click Submit or Submit + Restart as appropriate.
11-18-2007 09:47 PM
Thanks Jeff,
I already got your detailed information from your colleague at Cisco (Markus K.)
And it works.
Maybe you can also help me for:
Security / AAA / Restrict User to specific NAS if only default NAS profile is configured
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide