Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
0
Helpful
0
Replies

Shell Profile is DenyAccess (but not for all)

jnesbitt1
Level 1
Level 1

‎08-29-2017 12:25 PM - edited ‎03-12-2019 04:30 AM

Okay here is the scenario. I have a ACS server that all network devices use TACACS through. Switches in zone 3 and zone 4 of the firewall use NAT to access the ACS server. The NAT address is the outside interface of the firewall. Switches in zone 3 are managed by a NMS w/ an IP of 192.168.1.1 and are able to authenticate with the TACACS server with no issues. Switches in zone 4 are managed by a NMS w/ an IP of 192.168.5.1 and are not able to authenticate with the TACACS server. The switch configs for zone 3 and 4 are identical minus switch specific items and the firewall has the proper ACLs to allow the traffic. Upon reviewing the ACS logs, when a switch in zone 4 tries to authenticate it lists "13036 Selected Shell Profile is DenyAccess". Both zones are using the same service account information to authenticate and both NMS boxes are in the end station filter for that account. For argument's sake let's assume for the time being the configs for the switches and firewall are correct. Is there something else on the ACS server that could be stopping switches in zone 4 from authenticating?

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents