Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
0
Helpful
4
Replies

ACS 5.3 - TACACS+ command authorization

sjones@techsgi.com
Level 5
Level 5

‎04-20-2012 10:48 AM - edited ‎03-10-2019 07:01 PM

I'm doing an eval of ACS 5.3 for a client and i'm trying to integrate one of the routers into it using TACACS+.  I had the authentication working with an internal user.  when i went back in and added the authorization parts though, now i'm locked down to the enable prompt and can't do anything...trying to make sense of the documentation on how to assign the command sets, etc. to my test user, but it doesn't make any sense (this is some of the lousier documentation i've seen for a while...).

Does anyone have any thoughts on what to do to get the command sets to work?

SJ

Labels:
0 Helpful
4 Replies 4

Eduardo Aliaga
Level 4
Level 4

‎04-23-2012 07:21 PM

could you please post your acs config and your router config ?

0 Helpful

sjones@techsgi.com
Level 5
Level 5
In response to Eduardo Aliaga

‎04-24-2012 06:21 AM

Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…

ip tacacs source-interface gi 0/0

tacacs-server directed-request

tacacs-server key

tacacs-server host x.x.x.x

aaa new-model

aaa authentic login default group tacacs+ local

aaa authentic login no-tacacs none

aaa authentic enable default group tacacs+ enable

aaa author config-commands

aaa author exec default if-authenticated

aaa author commands 1 default if-authenticated

aaa author commands 15 default group tacacs+ local

aaa author console

aaa account exec default start-stop group tacacs+

aaa account commands 0 default start-stop group tacacs+

aaa account commands 1 default start-stop group tacacs+

aaa account commands 15 default start-stop group tacacs+

aaa account connection default start-stop group tacacs+

aaa account system default start-stop group tacacs+

aaa session-id common

0 Helpful

sjones@techsgi.com
Level 5
Level 5
In response to sjones@techsgi.com

‎04-26-2012 07:08 AM

as a follow up...i'm looking at ACS now.  The way i have it setup is using the default 'permit all' for the device authorizations, shell profile, command  sets, etc.  It should let whatever commands i run through.  But, all i see on the router is 'command authorization failed'.  I can't even reload the thing now...

Is there a document somewhere that goes through step-by-step?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to sjones@techsgi.com

‎04-26-2012 02:35 PM

To get in you can change the shared secret in ACS so that the router will go into local mode, or you can just change the ip address of the router so ACS doesnt respond. That will let you in the router using your local credentials.

The shell profile that you are using, did you configure any other attributes like RBAC for other devices like nexus or WLC, if so you may want to switch the operand of mandatory to optional and then try you test again.

If you want to export your configuration you can go from the cli and issue the "acs backup...." to get the backup of your config, you will need to setup a repository to export this to.

Thanks,

tarik admani

0 Helpful
Customers Also Viewed These Support Documents