350AP authorization fails(service denied service=aironet protocol=shell)

mbouchar · ‎11-20-2002

I am trying to get management authentication working using TACACS from a 350AP running FW 12.0T. The requests hit the ACS server but I get the message author failed (service denied service=aironet protocol=shell). It seems that I have something wrong with the user or group level TACACS attributes but I am new to ACS. Help Please...

jekrauss · ‎11-20-2002

In ACS under Group Setup, select the check box under TACACS for shell. Also, set priv-lvl=15. If these options aren't available, check under Interface Configuration>>Tacacs.

HTH

Jeff

mbouchar · ‎11-20-2002

I have verified that these are set at the user and group level and still get the same message.What about Shell Command Authorization set?

tepatel · ‎11-21-2002

Only RADIUS can be used for administrator authentication..TACACS is there for future enhancements...

For admin user authentication against ACS radius, you need to have following

1)12.0T image on AP350..as only that image supports that.

2)configure radius server ip address on "authenticaton server" page and check on "user authentication"

3)configure the user in ACS and also include the attribute in the cisco av-pair list for that user as

aironet:admin-capability=write+ident+admin+firmware

Once you have that authentication and authorization will work fine.

fanny.chow · ‎11-26-2002

Does this require certain release of ACS?

My ACS server is at version "3.0(2) Build 5" (no service patch), and image 12.0T for the wireless APs.

The wireless aironet users can authenticate via the ACS radius no problem, but for admin management access to the access points, I can't find the "Radius (Aironet)" attributes in the Interface Configuration section, only the "Radius (IETF)" shows up when I define the APs with "Radius (Cisco Aironet)" in "Authenticate Using".

Any idea?? Thanks.

Fanny