Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2504
Views
15
Helpful
6
Replies

How to enable Command Authorization in ACS?

Go to solution
rajeev.payal
Level 1
Level 1

‎06-05-2008 02:42 AM - edited ‎03-10-2019 03:53 PM

hi,

I have ACS 4.1 for Windows!!

I am testing Cisco6513 for command authorization for a user.

The problem is that the switch is authorizing the commands which i have denied in ACs for that particular user.

I am attaching the screen shots.

Can any one tell me what i am missing?Does i need to put some some commands in 6513 to enable command authorization in the ACS?

My Switch config for ACS is:

aaa new-model

aaa group server tacacs+ name1

server ACSserver1

!

aaa authentication login default group name1 local

aaa authentication enable default group name1 enable

aaa authorization exec default group name1 if-authenticated

ip http authentication aaa

tacacs-server host ACSserver1

no tacacs-server directed-request

tacacs-server key xxxxx

Labels:
Preview file
152 KB
Preview file
80 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-05-2008 04:58 AM

You are missing these commands,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Regards,

~JG

Do rate helpful posts

View solution in original post

6 Replies 6

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-05-2008 04:58 AM

You are missing these commands,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Regards,

~JG

Do rate helpful posts

Go to solution
abhay_i386
Level 1
Level 1

‎06-09-2008 11:18 PM

Hi,

You need to apply these commands for authentication & authorization on the router/switch and ACS server.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group tacacs+

U can also exclude ur console from AAA --

line con 0

login authentication local_auth

exit

Plz rate it if helpful .....

0 Helpful

Go to solution
rajeev.payal
Level 1
Level 1
In response to abhay_i386

‎06-11-2008 06:42 AM

Thanks to both of you..Problem solved!!

0 Helpful

Go to solution
lundvall
Level 1
Level 1
In response to abhay_i386

‎06-11-2008 11:10 AM

I have been looking for the command to exclude the console port but haven't found it. Can someone point me in the right direction?

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to lundvall

‎06-11-2008 11:48 AM

For that you need to set up a method list,

Username test privilege 15 password test

aaa new-model

aaa authentication login vty_login group tacacs local

aaa authentication login console_login local

aaa authorization exec vty_login group tacacs local

tacacs-server host key cisco

line vty 0 4

login authentication vty_login

line con 0

login authentication console_login

Regards,

~JG

Do rate helpful posts

Go to solution
lundvall
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-12-2008 09:18 AM

thank you very much.

0 Helpful
Customers Also Viewed These Support Documents