Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
3
Replies

Looking for sample config (command authorization failed)

Go to solution
thanmad
Level 1
Level 1

‎05-31-2011 11:27 AM - edited ‎03-10-2019 06:07 PM

I'm having trouble getting Tacacs+ to work correctly with ACS5.1 and a simple catalyst 3750 switch.

I can authenticate with AAA, however i cannot get a single command to work once i'm in; "Command authorization failed" even on "enable".

Can anyone point me to a useful resource that will walk me through the process?

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎05-31-2011 10:13 PM

You probably have command authorization enabled on your switch and the access policy on the ACS isnt permitting the commands. One way around this is to disable command authorization on the device or permit all commands in your command sets under your access policy.

Check those settings and keep in mind the "customize" command will help activate any rules or permissions if you are having troubles finding them.

Here is the user guide for ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Thanks,

Tarik

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎05-31-2011 10:13 PM

You probably have command authorization enabled on your switch and the access policy on the ACS isnt permitting the commands. One way around this is to disable command authorization on the device or permit all commands in your command sets under your access policy.

Check those settings and keep in mind the "customize" command will help activate any rules or permissions if you are having troubles finding them.

Here is the user guide for ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Thanks,

Tarik

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to Tarik Admani

‎06-01-2011 09:33 AM

Thanks Tarik,

That was the issue, the command set option was not visible until after i customized.  hence i could not attach the command set to the access policy rule.

...now to figure out how to define admins from common users when using AD in ACS.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to thanmad

‎06-01-2011 03:40 PM

It shouldn't be an issue, what you can do is setup your command sets just as you want them. You will then go to your Active Directory configuration -> External Identity Stores -> Active Directory -> Directory Groups....you will then hit "Select and a pop up box will come up, you an use wildcards (Domain Admins or Domain*) to find your domain admins or any other group you wish to search for.

You will then add those groups to the list and save. when you create your authorization for your device admin (or tacacs service rule) you will then use the AD External Group attribute and then assign them with the shell profile and matching command set.

Hope that helps!

Tarik Admani

0 Helpful
Customers Also Viewed These Support Documents