There is a known bug that covers the behavior you've observed, that's triggered by using certain versions of Firefox. What browser were you using when this happened? Javier Henderson Cisco Systems ... View more

The error message states invalid credentials were entered (seen at the bottom of radius_details_3.jpg), so that's why the user was not allowed access. ... View more

You will want to configure command authorization on the router (switch, etc.) and then create a command authorization set on ACS, and apply it to an authorization policy. ... View more

Unlike ACS 4.x (and earlier) which had a separate page for successful and failed attempts, ACS 5.x shows all authentication attempts on the same report. ... View more

Can you post the same debug output, from a switch showing the correct behavior, please? Also, are you able to collect a packet capture, so we can see what's being put on the wire by the RADIUS server? I realize the output of "debug radius" suggests that only shell:priv-lvl=1 is being sent, but just to cover all bases. Finally, is the username being used to test RADIUS also exists as a local user on the switch? ... View more

This requires configuration on both ACS, and the target devices. On your routers, switches, etc., configure exec authorization, for example: aaa authorization exec default group tacacs+ local On ACS, create a command set, then associate it with the corresponding authorization policy. In the command set, list the commands you wish to allow (in this case "show running-config"), and disallow all other commands (it's a checkbox in the same config screen). Javier Henderson Cisco Systems ... View more

You need to have exec authorization configured on your router, for example: aaa authorization exec default group tacacs+ local Javier Henderson Cisco Systems ... View more

You need to add command authorization: aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local Javier Henderson Cisco Systems ... View more

Can you please post the router/switch configuration? At least the AAA related portions. Javier Henderson Cisco Systems ... View more

ACS 4.2 is not supported on any versions of Windows after 2008, and since it's been discontinued for some time now, support for newer Windows releases will not be added. Javier Henderson Cisco Systems ... View more

The instructions you reference seem to be meant for the open source tac_plus TACACS+ server. For ACS, you'd configure a shell profile to pass back to the Brocade switch any custom A/V pairs that are needed. This document has some examples for various third party devices: http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html Javier Henderson Cisco Systems ... View more

The above configuration looks correct. The expected behavior is that when the user enters credentials, the ACS server would be use to authenticate them. If ACS sends back a reject, the user should not be allowed in. If ACS does not respond, or responds with an error, then the local users defined on the switch should be used. Can you enable "debug aaa authentication" and "debug aaa authorization", reproduce the problem, and post the console output? Also, how's ACS configured for the default action for TACACS+ authentications? Javier Henderson Cisco Systems ... View more

You aid that you applied this method list "on the telnet", but can you show us the resulting configuration? Javier Henderson Cisco Systems ... View more