Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA is not able to take authorization from both tacacs+ ACS and locally

Hi all,

I have ACS 1120 device with version 5.0.

I have configured 3 users on acs giving them privillage 15 to all and bar them with command sets.But when ACS will goes down I need to make authentication and autorization locally.So I created two seperate users locally giving privillage one to 15 and  other is 10.For privillage 10 I have assigned some limited commond set  to privillage 10.
But problem is when my ACS authorization and local authorization come in  to picture my ACS user which only have show access getting  configuration access also.
So plz help me for the same
If my ACS goes down need to fallen down on local authentication and authorization..

Thanks,

Pranav

1 REPLY
New Member

Re: AAA is not able to take authorization from both tacacs+ ACS

plz find aaa configuration on router

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 5 ssst group tacacs+ local
aaa authorization commands 10 netmon group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 admin group tacacs+ local
aaa authorization network default group tacacs+ local
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

I have created two local users one is giving priv 15 and one is giving priv 10

commond set for priv 10

privilege interface level 10 ip add
privilege interface level 10 shut
privilege interface level 10 no sh
privilege interface level 10 exit
privilege configure level 10 interface!
privilege configure level 10 interface all
privilege exec level 10 show!
privilege exec level 10 traceroute
privilege exec level 10 show run
privilege exec level 10 conf t

Thnaks

Pranav

628
Views
0
Helpful
1
Replies