05-31-2011 11:27 AM - edited 03-10-2019 06:07 PM
I'm having trouble getting Tacacs+ to work correctly with ACS5.1 and a simple catalyst 3750 switch.
I can authenticate with AAA, however i cannot get a single command to work once i'm in; "Command authorization failed" even on "enable".
Can anyone point me to a useful resource that will walk me through the process?
thanks
Solved! Go to Solution.
05-31-2011 10:13 PM
You probably have command authorization enabled on your switch and the access policy on the ACS isnt permitting the commands. One way around this is to disable command authorization on the device or permit all commands in your command sets under your access policy.
Check those settings and keep in mind the "customize" command will help activate any rules or permissions if you are having troubles finding them.
Here is the user guide for ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html
Thanks,
Tarik
05-31-2011 10:13 PM
You probably have command authorization enabled on your switch and the access policy on the ACS isnt permitting the commands. One way around this is to disable command authorization on the device or permit all commands in your command sets under your access policy.
Check those settings and keep in mind the "customize" command will help activate any rules or permissions if you are having troubles finding them.
Here is the user guide for ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html
Thanks,
Tarik
06-01-2011 09:33 AM
Thanks Tarik,
That was the issue, the command set option was not visible until after i customized. hence i could not attach the command set to the access policy rule.
...now to figure out how to define admins from common users when using AD in ACS.
06-01-2011 03:40 PM
It shouldn't be an issue, what you can do is setup your command sets just as you want them. You will then go to your Active Directory configuration -> External Identity Stores -> Active Directory -> Directory Groups....you will then hit "Select and a pop up box will come up, you an use wildcards (Domain Admins or Domain*) to find your domain admins or any other group you wish to search for.
You will then add those groups to the list and save. when you create your authorization for your device admin (or tacacs service rule) you will then use the AD External Group attribute and then assign them with the shell profile and matching command set.
Hope that helps!
Tarik Admani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide