Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
0
Helpful
2
Replies

Tacacs problem with ACS 4.2 NDG and shell authorization sets

Go to solution
uzbrdicanagib
Level 1
Level 1

‎11-26-2011 03:26 PM - edited ‎03-10-2019 06:34 PM

Hi all,

I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.

I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.

One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.

Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?

Thanks everyone....

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎11-27-2011 02:03 AM

Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.

What is your user setting set to while you are testing command authorization, did you set it back to the group setting?

Thanks,

Tarik Admani

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎11-27-2011 02:03 AM

Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.

What is your user setting set to while you are testing command authorization, did you set it back to the group setting?

Thanks,

Tarik Admani

0 Helpful

Go to solution
uzbrdicanagib
Level 1
Level 1
In response to Tarik Admani

‎11-28-2011 03:12 AM

Thank you for the help, I guess that is one of the reasons they removed patch 5 from the dowloads...

0 Helpful
Customers Also Viewed These Support Documents