05-22-2010 05:09 AM - edited 03-10-2019 05:09 PM
Hello Friends,
I m configuring Shell Command Authorization set for a group of users, After entering username and after that entering password it gives me error" Authorization Failed", I m using evaluation version ACS for windows 4.2.
For authorization i have configured as follows:
Step 1. Go to Shell Command Authorization Set, check the Command button, and enter login.
Step 2. Select Permit under Unlisted Arguments. Repeat this process for the logout, enable, and disable commands. This is creating a set of commands that is authorized.
Step 3. Go to Shell Command Authorization Set, check the Command button, and enter show. Under Arguments, enter permit clock, and select deny for Unlisted Arguments.
Step 4. When you are finished, click Submit. This enables some basic command authorization at the Group level.
I m doing this by cisco press book what command i m authorize to execute. Have anybody face such type of error before.
Thanks
05-24-2010 03:04 PM
What product are you trying to authenticate to? A router, an ASA?
Are you also doing authenticaion? Please make sure you do so.
Here you can find a could of examples http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authorizatn_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057693
Of course the ACS needs to be configured to do command (exec) authorization for specific commands and users.
PK
05-24-2010 04:11 PM
Have you configured command authorization on the Network access device like router or switch because the error message you are gettings is because of exec authorization so for that you need to give privilege 15 on the ACS, if you have group configured then go to that group >> jump to tacacs+ and check the option shell(exec) define the privilege level 15.
Command authorization configuration examole:
In order to configure command authrization on IOS you need the below listed command:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
On ASA you only need one command
aaa authorization command tacacs LOCAL
If you still face any issues then do attach the sh run from the device and faiked attempt logs from the ACS
HTH
JK
Do rate helpful posts-
05-26-2010 05:52 AM
Dear jkatyal
I m confuse can you help me to authorize some command to a group of ACS. The above 4 steps in my previous mail what i have done what i will achieve from those steps????? what command access i will be authorize??? I have added the above command from ur mail in my routers,but what actually these commands will do????
I have enabled a privilege level 1 in exec (shell) section of group and in shell authorization set i have done exactly
Step 1. | Go to Shell Command Authorization Set, check the Command button, and enter login. |
Step 2. | Select Permit under Unlisted Arguments. Repeat this process for the logout, enable, and disable commands. This is creating a set of commands that is authorized. |
Step 3. | Go to Shell Command Authorization Set, check the Command button, and enter show. Under Arguments, enter permit clock, and select deny for Unlisted Arguments |
also i have configured a privilege level 1 user in the router, when i try to telnet to a router i get a prompt of username and password and then when i type a "en" it again propmt me " router >".
Below is the output from console when a privilege level 1 user telent to a router.
ACS_Router#
*May 26 12:28:18.331: AAA/BIND(0000000D): Bind i/f
*May 26 12:28:18.331: AAA/AUTHEN/LOGIN (0000000D): Pick method list '123'
*May 26 12:28:31.331: AAA/AUTHOR (0000000D): Method list id=0 not configured. Skip author
*May 26 12:28:41.115: AAA/AUTHOR: auth_need : user= 'test' ruser= 'ACS_Router'rem_addr= '192.168.10.4' priv= 0 list= '' AUTHOR-TYPE= 'command'
*May 26 12:28:41.115: AAA: parse name=tty514 idb type=-1 tty=-1
*May 26 12:28:41.115: AAA: name=tty514 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=514 channel=0
*May 26 12:28:41.115: AAA/MEMORY: create_user (0x467487F0) user='test' ruser='ACS_Router' ds0=0 port='tty514' rem_addr='192.168.10.4' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*May 26 12:28:41.115: tty514 AAA/AUTHOR/CMD(1324718254): Port='tty514' list='' service=CMD
*May 26 12:28:41.115: AAA/AUTHOR/CMD: tty514(1324718254) user='test'
*May 26 12:28:41.115: tty514 AAA/AUTHOR/CMD(1324718254): send AV service=shell
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV cmd=enable
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV cmd-arg=1
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV cmd-arg=
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): found list "default"
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): Method=tacacs+ (tacacs+)
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): user=test
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV service=shell
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd=enable
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd-arg=1
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd-arg=
*May 26 12:28:41.319: TAC+: (1324718254): received author response status = PASS_ADD
*May 26 12:28:41.319: AAA/AUTHOR (1324718254): Post authorization status = PASS_ADD
*May 26 12:28:41.319: AAA/MEMORY: free_user (0x467487F0) user='test' ruser='ACS_Router' port='tty514' rem_addr='192.168.10.4' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: