Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1629
Views
0
Helpful
1
Replies

" PIX Command Authorization" via ACS!

kendo.igor
Level 1
Level 1

‎11-12-2002 10:10 AM - edited ‎02-21-2020 10:05 AM

I have the following scenario:

We have one PIX 515E with latest image and one ACS 3.0.2.

We would like to limit which netadmin may use which command on PIX.

We have created the user accounts on ACS, and AUTHENTICATION is working fine. Under user Advanced TACACS+ properties > "PIX Command Authorization Set", we've seleted "Assign a PIX Command Authorization Set for any network device" and picked an already defined "PIX command authorization set" called "com1".

As soon as I enter "aaa authorization command TACACS+" on PIX, I cannot execute anymore commands and I get "Command authorization failed".

On the ACS "Failed attempts" log, I get "11/12/2002 07:50:04 Author failed u20 Default Group 0.0.0.0 .. Command unknown service=shell cmd=quit 0 10.1.1.1"

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

Nairi Adamian
Cisco Employee
Cisco Employee

‎11-12-2002 10:16 PM

Have you actually allowed the commands you are entering on the PIX authorization set?

The following sample configuration has some information on how to do this on ACS:

http://www.cisco.com/warp/public/110/pix_command.shtml

hope this helps,

-Nairi

0 Helpful
Customers Also Viewed These Support Documents