ACS 5.0 Privlege level too high

Answered Question
Mar 2nd, 2010

Hi

I'm attempting to determine what is causing this error.

when logging into my switch, I am able to authenticate to user mode.  However, when i attempt to login to priv exec mode, the authentication fails, and in the ACS log, there is an error that is generated advising "privlege level too high".

I'm not entirely clear what is generating this error.  It advises to check the authorization profile, which i did...I attempted adjusting the privlege level from 0 to 15 to no avail...

any suggestions on where to pinpoint where this is coming from?

bruce

I have this problem too.
0 votes
Correct Answer by jrabinow about 6 years 9 months ago

ACS 5.0 is very different in concept to ACS 4.x

and uses a policy based system to determine handling of requests as opposed to confiuring this as part of the user/group definitions.

There are some materials, including a video, available from the Welcome page of the application.

WRT your specific question, I think the change you need to make is as follows to create a new Shell Profile with "Maximum Privelege Level" of 15

1) Go to

Access Policies > ... > Access Services > Default Device Admin > Authorization

2) Select the check box by row that starts with default and then press Edit

3) Press Select and then Create to create a new shell profile

4) Enter whichever name you desire and then "Common Tasks" tab where set "Maximum Privelege Level" of 15

5) Press "Submit" to create this profile and then OK twice to select this new profile as a result of the policy

6) Finally from "Device Administration Authorization Policy" press "Save Changes" to change the policy to have the result you just created

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jrabinow Tue, 03/02/2010 - 22:20

There are two fields in a shell authorization pofile:

Default Privilege:   // Defaultprovelege on session

Maximum Privilege:  // Maximum privelege that can be assigned to the session (by enable)

Do you know which profile is being used for the session and which values it has for these fields

Bruce Summers Wed, 03/03/2010 - 04:23

Honestly, no I don't know which profile is being used...I'm not sure how to determine that...

Frankly, I'm not entirely sure what is being used within this configuration...I don't "see" how/where you select options or how they inter-relate with groups or users...

Correct Answer
jrabinow Sat, 03/06/2010 - 23:32

ACS 5.0 is very different in concept to ACS 4.x

and uses a policy based system to determine handling of requests as opposed to confiuring this as part of the user/group definitions.

There are some materials, including a video, available from the Welcome page of the application.

WRT your specific question, I think the change you need to make is as follows to create a new Shell Profile with "Maximum Privelege Level" of 15

1) Go to

Access Policies > ... > Access Services > Default Device Admin > Authorization

2) Select the check box by row that starts with default and then press Edit

3) Press Select and then Create to create a new shell profile

4) Enter whichever name you desire and then "Common Tasks" tab where set "Maximum Privelege Level" of 15

5) Press "Submit" to create this profile and then OK twice to select this new profile as a result of the policy

6) Finally from "Device Administration Authorization Policy" press "Save Changes" to change the policy to have the result you just created

Bruce Summers Sun, 03/07/2010 - 04:20

thanks...

I got it working

I had created the shell profile, but I had not selected the shell profile in my access policy that i created...I was still using the default "Permit Access" shell profile, which of course was a privlege level 1.

thanks for continuing to track my post...

Bruce

Actions

This Discussion