Howto configure reverse-access authorization on ACS Win4.1

Unanswered Question
Nov 9th, 2007


I have some routers with modem-stuff and like to make reverse-access authorization.


aaa authorization reverse-access default group tacacs+

worked under CSU with service=raccess {}

But I get errors when I try this under ACS Win 4.1.


% Authorization failed.


11/06/2007 16:28:14 Author failed xuseridx Shelluser-Grp 10.1.2.YYY (Default) .. Service denied service=raccess tty34 10.1.2.ZZZ .. .. .. .. .. others ..

Anybody who has an idea if and how this is possible?

Kind Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vkapoor5 Thu, 11/15/2007 - 10:52

I think it might ask for a password OR username/password for authentication or authorizatation. Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the scalability and manageability required to set authorization restrictions.

In ACS, the default command authorization sets include Shell Command Authorization Sets and PIX Command Authorization Sets. Cisco device management applications, such as CiscoWorks Management Center for Firewalls, can instruct ACS to support additional command authorization set types.

wagnerch Thu, 11/15/2007 - 21:37

thanks - I already got a detailed answer from cisco.

Introduction of a new Service - raccess did it.


jhillend Fri, 11/16/2007 - 16:44

You need to add raccess to the TACACS interface in ACS.

1) Under Interface Configuration > TACACS+ (Cisco IOS) add a raccess by clicking either the User box or the group Box (or both) under New Services.

2) In the box under Service add raccess, then click Submit.

3) Now you will see raccess under TACACS+ in either the user configuration or group configuration as you selected before. Check the box next to raccess and click Submit or Submit + Restart as appropriate.


This Discussion