Cisco CSS AAA with ACS server

Unanswered Question
Jun 29th, 2009

Hello,

I have applied the below config to my CSS:-

virtual authentication primary tacacs

virtual authentication secondary local

tacacs-server key spire_tacacs

tacacs-server account config

tacacs-server x.x.x.x 49 primary

tacacs-server authorize config

Everything works with regards to authentication back to the ACS. Problem is when I create a new user and group with a specific command set, the CSS fails and in the log of the ACS under failed attempts it says that author failed with command denied (service=shell cmd=privilege).

The same command set works with a Cisco 4500/6500/7200 (you get the idea), but not the CSS. The only way it works is if you permit all commands which is not what I need.

Has anyone got any idea's on this?

Cheers

Steven

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Fri, 07/03/2009 - 11:42

To add a user to a group, go to the User Setup section of the Cisco Secure ACS HTML interface:

•On the User Setup Select page, specify a username.

•On the User Setup Edit page, specify the following:

-Password Authentication - Select an applicable authentication type from the list.

-Password - Specify and confirm a password.

Actions

This Discussion