How to enable Command Authorization in ACS?

Answered Question
Jun 5th, 2008
User Badges:

hi,

I have ACS 4.1 for Windows!!

I am testing Cisco6513 for command authorization for a user.

The problem is that the switch is authorizing the commands which i have denied in ACs for that particular user.

I am attaching the screen shots.

Can any one tell me what i am missing?Does i need to put some some commands in 6513 to enable command authorization in the ACS?

My Switch config for ACS is:


aaa new-model

aaa group server tacacs+ name1

server ACSserver1

!

aaa authentication login default group name1 local

aaa authentication enable default group name1 enable

aaa authorization exec default group name1 if-authenticated

ip http authentication aaa

tacacs-server host ACSserver1

no tacacs-server directed-request

tacacs-server key xxxxx




Correct Answer by Jagdeep Gambhir about 9 years 3 weeks ago

You are missing these commands,



aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands



Regards,

~JG


Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Thu, 06/05/2008 - 04:58
User Badges:
  • Red, 2250 points or more

You are missing these commands,



aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands



Regards,

~JG


Do rate helpful posts

abhay_i386 Mon, 06/09/2008 - 23:18
User Badges:

Hi,

You need to apply these commands for authentication & authorization on the router/switch and ACS server.


aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group tacacs+


U can also exclude ur console from AAA --


line con 0

login authentication local_auth

exit


Plz rate it if helpful .....

lundvall Wed, 06/11/2008 - 11:10
User Badges:

I have been looking for the command to exclude the console port but haven't found it. Can someone point me in the right direction?

Jagdeep Gambhir Wed, 06/11/2008 - 11:48
User Badges:
  • Red, 2250 points or more

For that you need to set up a method list,



Username test privilege 15 password test

aaa new-model

aaa authentication login vty_login group tacacs local

aaa authentication login console_login local

aaa authorization exec vty_login group tacacs local

tacacs-server host key cisco


line vty 0 4

login authentication vty_login


line con 0

login authentication console_login



Regards,

~JG

Do rate helpful posts

Actions

This Discussion