ACS 5.1 appliance and 3750 Switch

Unanswered Question
May 18th, 2010
User Badges:

I'm trying to add a 3750 to our new ACS 5.1 appliance for tacacs authorization

Attached is the config I have on the 3750 and a debug.  After I enter this information the enable command and all futher commands say "Command authorization failed."

My ACS has this specific device added to the "Network Devices and AAA clients" area of ACS with a Tacacs shared secret PW the same as my Key on the 3750.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Javier Henderson Tue, 05/18/2010 - 10:04
User Badges:
  • Cisco Employee,

What is ACS reporting as the reason to fail the authorization?

Joseph Dworak Tue, 05/18/2010 - 11:01
User Badges:

ACS report and monitor shows my account :



Failure Reason:

Logged At:

May 18, 2010 12:58 PM

ACS Time:

May 18, 2010 12:58 PM

ACS Instance:

Authentication Method:


Authentication Type:


Privilege Level:




When I type enable or any other command it says:

Command authorization failed.
Chetan Kumar Ress Tue, 05/18/2010 - 12:01
User Badges:
  • Silver, 250 points or more

As you mention you are able to login but You are not able to get authorized for enable & config .

Did you setup ACS for authorization ?

Please let us know the so can come with solution

Javier Henderson Tue, 05/18/2010 - 12:09
User Badges:
  • Cisco Employee,

That is the authentication report. Please look in the authorization report.

Chetan Kumar Ress Tue, 05/18/2010 - 12:20
User Badges:
  • Silver, 250 points or more

I recommend you to modify the AAA command to Support Authorization & In ACS configure user privilege to 15 &

Give authorization of config terminal

aaa authentication login default group TACACS

aaa authentication enable default group TACACS

aaa authorization exec default group TACACS

aaa authorization config-commands

aaa authorization commands 0 default group TACACS

aaa authorization commands 1 default group TACACS

aaa authorization commands 5 default group TACACS

aaa authorization commands 15 default group TACACS

aaa accounting default group TACACS

Joseph Dworak Tue, 05/18/2010 - 12:50
User Badges:

I'm getting closer:  THANK YOU FOR ALL YOUR HELP SO FAR!!!!  I'm sending this but also looking into the failure reason.  I'm a n00b at this version . . . working to get off a Win Radius . . .

Here is the latest authorization report:



Failure Reason:

13025 Command failed to match a Permit rule
Logged At:

May 18, 2010 2:42 PM

ACS Time:

May 18, 2010 2:42 PM

ACS Instance:

Authentication Method:


Authentication Type:

Header Privilege Level:


Command Set:

[ CmdAV=enable  ]


User Name:

Remote Address:

Network Device

Network Device Name:

Netwok Device Group:

Device Type:All Device Types:Switches:West, Location:All Locations

Device IP Address:

Access Policy

Access Service:

Default Device Admin
Identity Store:

Selected Shell Profile:

Matched Command Set:

Selected Command Set:


Active Directory Domain:

Identity Group:

All Groups:Administrators:NetEng

Access Service Selection Matched Rule:


Identity Policy Matched Rule:


Selected Identity Stores:

Query Identity Stores:

Selected Query Identity Store:

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:


Authorization Exception Policy Matched Rule:


ACS Session ID:


Author Reply Status:

Other Attributes:

Device Port=22378
AuthenticationIdentityStore=Internal Users
SelectedAuthenticationIdentityStores=Internal Users
UserIdentityGroup=IdentityGroup:All Groups:Administrators:NetEng
Chetan Kumar Ress Wed, 05/19/2010 - 05:02
User Badges:
  • Silver, 250 points or more

Dear Joseph

Configuring AAA  with ACS is not so complicated.

Please follow the below steps :

1] Create Loopback Add in router for Management & Communication with ACS Server.

2] Add loopback address in ACS server with Pre-Shared Key with TACACS+ protocol & check mark frist option. ( As below you can see some option that you need to select or check mark)

3] If you are using loopback address then user ip tacacs source interface looback(number)

4] Configure AAA In router but after adding the loopback Ip address in ACS that you had configured in router for management.

5] Create a group in ACS for different privilege access & in that group you can see authorization section , were you need to give authorization with initial   command.

For Example : Create an group and give privilege access of level 15 & in authorization section give command conf t and add in permit list.

And as you shared tha AAA command , I Personaly not recommend to use that one becasue it will not work when your ACS server will fail.

With TACACS group add local also , So if ACS will fail then you can login with local user.


Chetan kumar


This Discussion