Hi John,

Thank you for the reply. I tried the configuration you provided and unfortunately I was not able to get it to work on my network. I must have something else enabled that is blocking the authorization or I'm missing a parameter somewhere.

Thanks again for the assistance!

Keith

The only other global setting I have on my routers/switches is the following:

tacacs-server host x.x.x.x (IP address of ACS server)

tacacs-server key ******* (key as entered in the AAA client setup in ACS)

Have you been able to do any AAA debugging on your router or look at the reports on the ACS server?

John

The tacacs-server host and key settings are fine but I have not enabled debugging yet, so I'll try that next. Thanks John!

Keith

Keith

Are you looking to do this on the vty on the console or on both? There is an issue with doing it on the console. Going directly to privilege level 15 depends on authorization and by default Cisco does not do authorization on the console. If you want to do this on the console there is a hidden command that will make this work:

aaa authorization console

as with most hidden commands Cisco recommends that you use this with caution - there is some risk that you could lock yourself out of the device if you misconfigure something.

HTH

Rick

Hi Rick,

I am only trying to do this on the vty line and not on the colsole.

Thanks,

Keith

Keith

Thanks for clearing this up. I have seen similar discussions where the issue was access via console.

So if you are doing it on the vty then perhaps you can post the configuration of your vty lines?

I see that you have authentication and authorization set up for ciscoadmins. Can you show us how and where this is defined?

HTH

Rick

Rick,

The "ciscoadmins" group is defined on my ACS SE appliance and authentication is working fine. The vty settings are:

line vty 0 4

exec-timeout 30 0

transport preferred ssh

Keith

Thanks Rick!

Adding the command "authorization exec ciscoadmins" to my vty lines resolved the problem.

Thanks again,

Keith

Keith

I am glad that you got your problem resolved. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read a solution to the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

Rick,

I just learned about the NetPro Forum recently and the benefits paid off almost immediately. I have found more (additional) information inside the forum than was available on the Cisco Tech Support site. The creation of this forum was a great idea and people like yourself help make it a very valuable tool and information repository for others like myself. You can bet I will look here first when trying to resolve a problem in the future.

BTW, my first couple of Cisco classes were conducted by Chesapeake Computer Consultants in the mid/late 90's. They were a first-class organization and I glad to see they weren't completely disbanded.

I also want to say "thanks" to the others who responded to my post and offered up suggestions and ideas. I was pleasently surprised by how quickly the replies started coming in and for the number of responses. This is a great community!!!

Thanks again,

Keith

Keith

I am glad that you have discovered the forum and what a valuable resource it is. I am also glad that you recognize our corporate ancestry back to Chesapeake Computer Consultants. I taught for Chesapeake Computer Consultants and was with them as they became Mentor Technologies and then when they failed. A group of us who survived that started over as Chesapeake NetCraftsmen and we are proud of our heritage from Chesapeake Computer Consultants.

HTH

Rick

These commands and ACS configuratios don't work with an ASA 5520. Any idea how to get it to work on an ASA 5520?