Cisco CSS AAA with ACS server

Unanswered Question
Jun 29th, 2009
User Badges:

Hello,


I have applied the below config to my CSS:-



virtual authentication primary tacacs

virtual authentication secondary local


tacacs-server key spire_tacacs

tacacs-server account config

tacacs-server x.x.x.x 49 primary

tacacs-server authorize config


Everything works with regards to authentication back to the ACS. Problem is when I create a new user and group with a specific command set, the CSS fails and in the log of the ACS under failed attempts it says that author failed with command denied (service=shell cmd=privilege).


The same command set works with a Cisco 4500/6500/7200 (you get the idea), but not the CSS. The only way it works is if you permit all commands which is not what I need.


Has anyone got any idea's on this?


Cheers


Steven

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Fri, 07/03/2009 - 11:42
User Badges:
  • Silver, 250 points or more

To add a user to a group, go to the User Setup section of the Cisco Secure ACS HTML interface:


•On the User Setup Select page, specify a username.


•On the User Setup Edit page, specify the following:


-Password Authentication - Select an applicable authentication type from the list.


-Password - Specify and confirm a password.

Actions

This Discussion