cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1063
Views
0
Helpful
3
Replies

Looking for sample config (command authorization failed)

thanmad
Level 1
Level 1

I'm having trouble getting Tacacs+ to work correctly with ACS5.1 and a simple catalyst 3750 switch.

I can authenticate with AAA, however i cannot get a single command to work once i'm in; "Command authorization failed" even on "enable".

Can anyone point me to a useful resource that will walk me through the process?

thanks

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

You probably have command authorization enabled on your switch and the access policy on the ACS isnt permitting the commands. One way around this is to disable command authorization on the device or permit all commands in your command sets under your access policy.

Check those settings and keep in mind the "customize" command will help activate any rules or permissions if you are having troubles finding them.

Here is the user guide for ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Thanks,

Tarik

View solution in original post

3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

You probably have command authorization enabled on your switch and the access policy on the ACS isnt permitting the commands. One way around this is to disable command authorization on the device or permit all commands in your command sets under your access policy.

Check those settings and keep in mind the "customize" command will help activate any rules or permissions if you are having troubles finding them.

Here is the user guide for ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Thanks,

Tarik

Thanks Tarik,

That was the issue, the command set option was not visible until after i customized.  hence i could not attach the command set to the access policy rule.

...now to figure out how to define admins from common users when using AD in ACS.

It shouldn't be an issue, what you can do is setup your command sets just as you want them. You will then go to your Active Directory configuration -> External Identity Stores -> Active Directory -> Directory Groups....you will then hit "Select and a pop up box will come up, you an use wildcards (Domain Admins or Domain*) to find your domain admins or any other group you wish to search for.

You will then add those groups to the list and save. when you create your authorization for your device admin (or tacacs service rule) you will then use the AD External Group attribute and then assign them with the shell profile and matching command set.

Hope that helps!

Tarik Admani