cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

874
Views
0
Helpful
6
Replies
Highlighted
Beginner

Tacacs+ config help

Having some trouble with a tacacs config.. 

I can SSH into my 3560 switch with a tacacs configured username / password but commands like write mem or dir display an error message.

The command 'write <cr>' is not authorized for user [username] and client [ip addr] 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

 

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Hi Rob,As everything is

Hi Rob,

As everything is Tacacs+ specific.

If the command is not being authorized, this has be checked on the Tacacs+ server.

What is the Tacacs+ server that you are using?

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

View solution in original post

6 REPLIES 6
Highlighted
Participant

Hi Rob,As everything is

Hi Rob,

As everything is Tacacs+ specific.

If the command is not being authorized, this has be checked on the Tacacs+ server.

What is the Tacacs+ server that you are using?

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

View solution in original post

Highlighted
Beginner

tacacs.net is the software. I

tacacs.net is the software. 

I'm digging through the documentation, but its quite lousy IMHO. 

I'll start troubleshooting this from a server authorization perspective, I just found I can rename the authorization.xml to authorization.xml.old. I've tested and now I have full control over commands.

Looks like I'll have to tweak this list of commands / permissions and rename again get this working. 

Thanks for pointing me in the right direction.

-Rob

Highlighted
Participant

Great !Please mark the answer

Great !

Please mark the answer as resolved so others can take guidance with the same type of issue.

 

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Highlighted
Beginner

Re: tacacs.net is the software. I

Hi,

I am also facing same problem. I have done all the steps as you provided in your post but same problem. When i tried to use scp with aaa tacacs server.

 

Highlighted
Beginner

Re: tacacs.net is the software. I

Hi, 

How to check scp command authorization on ACS tacacs server. 

Highlighted
Beginner

Re: Hi Rob,As everything is

Hi, 

How to check scp command authorization on ACS tacacs server.