Can't quite get ACS group access working

ben.giles · ‎02-04-2010

Hi,

I have the ACS SE 4.2, and 2950 edge switches.

I have setup two users, one admin and one test on the ACS.

I have applied the following configuration on my switch:

aaa authentication login default group tacacs+ local enable
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

The test user is in it's own group, and I have applied a max privilege level of 15 to this group.

I have then set specific commands that the group is permitted to use, and denied to use.

However it doesn't seem to work correctly.

Can anyone see an error in how I've configured the switch?

I have attached screenshots of the user and group setup also.

Thanks!

ben.giles · ‎02-04-2010

Group screenshots.

peter.mainwaring · ‎02-05-2010

This was how we configured the switches at my last place.

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

HTH

Pete