Cisco CSS AAA with ACS server

Unanswered Question
Jun 29th, 2009
User Badges:


I have applied the below config to my CSS:-

virtual authentication primary tacacs

virtual authentication secondary local

tacacs-server key spire_tacacs

tacacs-server account config

tacacs-server x.x.x.x 49 primary

tacacs-server authorize config

Everything works with regards to authentication back to the ACS. Problem is when I create a new user and group with a specific command set, the CSS fails and in the log of the ACS under failed attempts it says that author failed with command denied (service=shell cmd=privilege).

The same command set works with a Cisco 4500/6500/7200 (you get the idea), but not the CSS. The only way it works is if you permit all commands which is not what I need.

Has anyone got any idea's on this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Fri, 07/03/2009 - 11:42
User Badges:
  • Silver, 250 points or more

To add a user to a group, go to the User Setup section of the Cisco Secure ACS HTML interface:

•On the User Setup Select page, specify a username.

•On the User Setup Edit page, specify the following:

-Password Authentication - Select an applicable authentication type from the list.

-Password - Specify and confirm a password.


This Discussion