Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
4
Replies

ACS 5.0 Privlege level too high

Go to solution
Bruce Summers
Level 1
Level 1

‎03-02-2010 05:36 PM - edited ‎03-10-2019 04:59 PM

Hi

I'm attempting to determine what is causing this error.

when logging into my switch, I am able to authenticate to user mode.  However, when i attempt to login to priv exec mode, the authentication fails, and in the ACS log, there is an error that is generated advising "privlege level too high".

I'm not entirely clear what is generating this error.  It advises to check the authorization profile, which i did...I attempted adjusting the privlege level from 0 to 15 to no avail...

any suggestions on where to pinpoint where this is coming from?

bruce

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Bruce Summers

‎03-06-2010 11:32 PM

ACS 5.0 is very different in concept to ACS 4.x

and uses a policy based system to determine handling of requests as opposed to confiuring this as part of the user/group definitions.

There are some materials, including a video, available from the Welcome page of the application.

WRT your specific question, I think the change you need to make is as follows to create a new Shell Profile with "Maximum Privelege Level" of 15

1) Go toAccess Policies > ... > Access Services > Default Device Admin > Authorization

2) Select the check box by row that starts with default and then press Edit

3) Press Select and then Create to create a new shell profile

4) Enter whichever name you desire and then "Common Tasks" tab where set "Maximum Privelege Level" of 15

5) Press "Submit" to create this profile and then OK twice to select this new profile as a result of the policy

6) Finally from "Device Administration Authorization Policy" press "Save Changes" to change the policy to have the result you just created

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jrabinow
Level 7
Level 7

‎03-02-2010 10:20 PM

There are two fields in a shell authorization pofile:

Default Privilege:   // Defaultprovelege on session

Maximum Privilege:  // Maximum privelege that can be assigned to the session (by enable)

Do you know which profile is being used for the session and which values it has for these fields

0 Helpful

Go to solution
Bruce Summers
Level 1
Level 1
In response to jrabinow

‎03-03-2010 04:23 AM

Honestly, no I don't know which profile is being used...I'm not sure how to determine that...

Frankly, I'm not entirely sure what is being used within this configuration...I don't "see" how/where you select options or how they inter-relate with groups or users...

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Bruce Summers

‎03-06-2010 11:32 PM

ACS 5.0 is very different in concept to ACS 4.x

and uses a policy based system to determine handling of requests as opposed to confiuring this as part of the user/group definitions.

There are some materials, including a video, available from the Welcome page of the application.

WRT your specific question, I think the change you need to make is as follows to create a new Shell Profile with "Maximum Privelege Level" of 15

1) Go toAccess Policies > ... > Access Services > Default Device Admin > Authorization

2) Select the check box by row that starts with default and then press Edit

3) Press Select and then Create to create a new shell profile

4) Enter whichever name you desire and then "Common Tasks" tab where set "Maximum Privelege Level" of 15

5) Press "Submit" to create this profile and then OK twice to select this new profile as a result of the policy

6) Finally from "Device Administration Authorization Policy" press "Save Changes" to change the policy to have the result you just created

0 Helpful

Go to solution
Bruce Summers
Level 1
Level 1
In response to jrabinow

‎03-07-2010 04:20 AM

thanks...

I got it working

I had created the shell profile, but I had not selected the shell profile in my access policy that i created...I was still using the default "Permit Access" shell profile, which of course was a privlege level 1.

thanks for continuing to track my post...

Bruce

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents