Howto configure reverse-access authorization on ACS Win4.1

Unanswered Question
Nov 9th, 2007
User Badges:

Hi,


I have some routers with modem-stuff and like to make reverse-access authorization.


Router-Cfg:

aaa authorization reverse-access default group tacacs+


worked under CSU with service=raccess {}


But I get errors when I try this under ACS Win 4.1.


Router-Message

% Authorization failed.


ACS-Message:

11/06/2007 16:28:14 Author failed xuseridx Shelluser-Grp 10.1.2.YYY (Default) .. Service denied service=raccess tty34 10.1.2.ZZZ .. .. .. .. .. others ..



Anybody who has an idea if and how this is possible?


Kind Regards,

Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Thu, 11/15/2007 - 10:52
User Badges:
  • Bronze, 100 points or more

I think it might ask for a password OR username/password for authentication or authorizatation. Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the scalability and manageability required to set authorization restrictions.


In ACS, the default command authorization sets include Shell Command Authorization Sets and PIX Command Authorization Sets. Cisco device management applications, such as CiscoWorks Management Center for Firewalls, can instruct ACS to support additional command authorization set types.



wagnerch Thu, 11/15/2007 - 21:37
User Badges:

thanks - I already got a detailed answer from cisco.

Introduction of a new Service - raccess did it.


Thanks.

jhillend Fri, 11/16/2007 - 16:44
User Badges:
  • Bronze, 100 points or more

You need to add raccess to the TACACS interface in ACS.

1) Under Interface Configuration > TACACS+ (Cisco IOS) add a raccess by clicking either the User box or the group Box (or both) under New Services.

2) In the box under Service add raccess, then click Submit.

3) Now you will see raccess under TACACS+ in either the user configuration or group configuration as you selected before. Check the box next to raccess and click Submit or Submit + Restart as appropriate.




wagnerch Sun, 11/18/2007 - 21:47
User Badges:

Thanks Jeff,


I already got your detailed information from your colleague at Cisco (Markus K.)


And it works.



Maybe you can also help me for:

Security / AAA / Restrict User to specific NAS if only default NAS profile is configured


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbe7e71

Actions

This Discussion