Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1522
Views
10
Helpful
3
Replies

authorization and accounting on ACS 5.3

Fazal E Rasool Khan
Level 1
Level 1

‎09-09-2012 05:40 AM - edited ‎03-10-2019 07:31 PM

Hi Experts,

Need Urgent help.

I have installed ACS 5.3.0.40 sucessfully and done the authentication through ACS using TACACS+ protocol.

Two users are created Admin and Contractor.

I also want to do the authorization. Lets say when i telnet to device 192.168.1.1 with user admin it should have all the privilege level upto 15 and when i telnet to the same device with user contractor it should get the privilege level 5.

Authentication to the ACS works fine but want to configure authorization and accounting.

How the accounting will work on ACS 5.3.

i configure the folowing commands on switches.

aaa new-model

!

!

aaa authentication login acsserver group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+

aaa authorization commands 1 default group tacacs+

aaa authorization commands 15 default group tacacs+

ip tacacs source-interface Vlan172

tacacs-server host 192.168.60.10 key cisco123

tacacs-server directed-request

line vty 0 4

login authentication acsserver

authorization commands 0 default

authorization commands 1 default

authorization commands 5 default

Looking for any replies, its a urgent requirement.

Labels:
0 Helpful
3 Replies 3

hkhrais
Level 1
Level 1

‎09-09-2012 08:08 AM

Hi Fazal ,

on the ACS side , you need to configure 2 shell-profile , the first one to set default privilege level to 15 and the second one to 5 , in the result for the "default device administration" rules needs to be set as the following :

rule 1 :- condition 1 if user "admin" comes in , result is shell profile 1 (priv-level 15)

rule 2:- condition 2 if user "contractor" comes in , result is shell profile 2 (priv-level 5)

under AAA client you need to add

aaa authorization commands 5 default group tacacs+

also you need to setup privlege 5 itself to be authorized for certain commands

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html#wp1027195

for accounting ,

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_a1g.html#wp1081064

HTH

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to hkhrais

‎09-09-2012 07:14 PM

+5 Hussam

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Fazal E Rasool Khan
Level 1
Level 1

‎10-20-2012 12:32 AM

Sorry for delayed reply solution worked perfectly.

Thanks...

0 Helpful
Customers Also Viewed These Support Documents