09-06-2010 01:13 AM - edited 03-10-2019 05:23 PM
Hi All,
Its a Cisco Acs 1120 device having version 5.0.
I have cerated three basic user group which having privillage leve 15,10 and 1 on ACS Tacacs+.
My configuration for AAA on Switch is as follows
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ loca
!
!
ip tacacs source-interface Vlan1
!
!
tacacs-server host **** single-connection
tacacs-server directed-request
but I am getting error while login from that spacific user which I have created but getting errror as
"commond authorization failed "
Plz let me know if any one have solution on this or any more information required for this..
09-07-2010 01:22 PM
Hi Pranav,
Based on your config below you have command authorization configured on your IOS device, but you only mentioned privilege levels on the ACS configuration. If you enable command authorization on the device then you need to ensure that a command set is referenced in your access policy rules.
Under the Authorization section of your Network Access Policy there should be two "results" columns - one for "Authorization Profiles" and a second for "Command Sets". If the latter does not show, hit the Customize button on that page and select it. Now edit your rule and select a value for the Command Set. I believe by default there is an Allow ALL and Deny ALL set that you can reference. If you would like to get mor granular you can create your own under Policy Elements > Authorization and Permissions > Device Administration > Command Sets.
Thanks,
Nate
09-08-2010 03:40 AM
Hi Nate,
Thanks for your reply, I tried doing what you have mentioned in your post. It is still not working for me.
The problrm what I see is all users are going under admin profile with privilege level 15. As I also defined command sets for admin just for testing purpose, so that is getting applied. Thus eventhough all users representing privilege level 15 they don't have full access. This case occurs when I define authorization under line vty.
When I remove those commands from line vty the operation is same only thing is as all are under privilege level 15 so they are granted full access.
So basically what is happening is the shell profiles and command sets created by me in reality are not getting called.
All users are somehow getting privilege level 15 and thus no further checks occuring, this is what my understanding says.
I tried doing all different sets and all but nothing working.
Please assist, thanking you all in advance.
Regards,
Pranav Gade.
09-08-2010 06:00 AM
Hi Pranav,
You shouldn't have to enable any authorization specifically on the VTY lines since you are using the default method lists for all of them. What does your vty line config look like?
Are there any failed authorization attempt logs on the ACS box when you receive the command authorization failure? It should say what rules were matched on the ACS.
Thanks,
Nate
09-08-2010 06:52 AM
Hi Nate,
Following is the error message received by me:-
Description:-
The request command failed to match permit rule in any of the command sets.
When I click on "tacacs Auhorization" for monitoring please find the below table order:-
1. status
2. details
3. Failure reason
4. user name
5. command sets
6. shell profile
7. network device
8. header privilege level
9. access service
10. selected authorization policy
11. selected authorization exception policy
12. selected command set
13. acs
Please assist what can be done.
Waiting for reply.
Thanks and regards,
Pranav.
09-08-2010 06:59 AM
Hi Pranav,
Can you post the value of those fields instead of just the fields themselves? Or a screenshot of the entire report for a failure (just click on the report icon next to the failure)?
Realistically we are interested in the following fields values:
Access service
Selected authorization policy
Selected command set
Thanks,
Nate
09-08-2010 07:59 AM
09-08-2010 08:13 AM
Pranav,
What does the "admin" command set contain, can you send a screenshot of that?
In terms of the config for your rules, why do you have Privilege-Level as a condition? The privilege level that you want to send to the clients is sent from the ACS to the NAS in the authorization profile.
Thanks,
Nate
09-08-2010 08:22 AM
Hi nate,
As of now as we were doing testing, so we have just allowed enable, show*, configure terminal commands for admin, then for netmon enable, show* and for ssst denyall.
Our actual requirement is we want to give full access to admin users, ssst will have access to only show commands and netmon will have interface level command access and few show commands.
But our problem is for all users enable, show*, configure terminal getting applied.
Thanks and Regards,
Pranav.
09-09-2010 09:59 PM
I am still waiting for this issue to get resolved........
Please assist....
Regards,
Pranav.
09-10-2010 05:09 AM
Hi Pranav,
Its hard to tell from the limited view in the screenshots why all of your users are hitting the same profile. One thing I mentioned before was removing the Tacacs-Privilege-Level as a condition for hitting a rule as I can't see why you would want to do that since you are passing the privilege level back in your shell profile set. It seems like all attempts from the NAS are coming in with a header priv-lvl of 15 and so all are hitting your first rule. So I would remove that "Compound Condition" from your rules and just do it by user group and let the result sets define the privilege levels.
If you send a full screenshot (not just part of the page) from the details section of the authorization then I can tell you exactly why it is hitting those rules, but theres just not enough information in the half page that was sent.
If the above doesn't help then at this point I would open up a case as it is becoming difficult to go back and forth on this forum and I believe if you opened a case and someone saw this live it would go much faster.
Thanks,
Nate
09-11-2010 08:48 AM
Thanks nate for your reply, I will try today doing it without privilege-level.... and will update, I am also trying to open a case but as its not inside warranty things not moving in my favor...
let me work on it again fresh.. will get back to you ASAP....
regards,
Pranav.
09-12-2010 04:46 AM
09-12-2010 04:48 AM
09-12-2010 04:54 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: