Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 appliance and 3750 Switch

I'm trying to add a 3750 to our new ACS 5.1 appliance for tacacs authorization

Attached is the config I have on the 3750 and a debug.  After I enter this information the enable command and all futher commands say "Command authorization failed."

My ACS has this specific device added to the "Network Devices and AAA clients" area of ACS with a Tacacs shared secret PW the same as my Key on the 3750.

7 REPLIES
Cisco Employee

Re: ACS 5.1 appliance and 3750 Switch

What is ACS reporting as the reason to fail the authorization?

New Member

Re: ACS 5.1 appliance and 3750 Switch

ACS report and monitor shows my account :

Status:

Passed

Failure Reason:

Logged At:

May 18, 2010 12:58 PM

ACS Time:

May 18, 2010 12:58 PM

ACS Instance:

NAWDM1ACS-A01-DC03

Authentication Method:

PAP_ASCII

Authentication Type:

ASCII

Privilege Level:

1

User

Username:

abc123

When I type enable or any other command it says:

Command authorization failed.

Re: ACS 5.1 appliance and 3750 Switch

As you mention you are able to login but You are not able to get authorized for enable & config .

Did you setup ACS for authorization ?

Please let us know the so can come with solution

Cisco Employee

Re: ACS 5.1 appliance and 3750 Switch

That is the authentication report. Please look in the authorization report.

Re: ACS 5.1 appliance and 3750 Switch

I recommend you to modify the AAA command to Support Authorization & In ACS configure user privilege to 15 &

Give authorization of config terminal

aaa authentication login default group TACACS

aaa authentication enable default group TACACS

aaa authorization exec default group TACACS

aaa authorization config-commands

aaa authorization commands 0 default group TACACS

aaa authorization commands 1 default group TACACS

aaa authorization commands 5 default group TACACS

aaa authorization commands 15 default group TACACS

aaa accounting default group TACACS

New Member

Re: ACS 5.1 appliance and 3750 Switch

I'm getting closer:  THANK YOU FOR ALL YOUR HELP SO FAR!!!!  I'm sending this but also looking into the failure reason.  I'm a n00b at this version . . . working to get off a Win Radius . . .

Here is the latest authorization report:

Status:

Failed

Failure Reason:

13025 Command failed to match a Permit rule

Logged At:

May 18, 2010 2:42 PM

ACS Time:

May 18, 2010 2:42 PM

ACS Instance:

NAWDM1ACS-A01-DC03

Authentication Method:

None

Authentication Type:

Header Privilege Level:

0

Command Set:

[ CmdAV=enable  ]

User

User Name:

abc123

Remote Address:

Network Device

Network Device Name:

TestPrintroom3750

Netwok Device Group:

Device Type:All Device Types:Switches:West, Location:All Locations

Device IP Address:

10.32.128.9

Access Policy

Access Service:

Default Device Admin

Identity Store:

Selected Shell Profile:

Matched Command Set:

Selected Command Set:

DenyAllCommands

Active Directory Domain:

Identity Group:

All Groups:Administrators:NetEng

Access Service Selection Matched Rule:

Rule-2

Identity Policy Matched Rule:

Default

Selected Identity Stores:

Query Identity Stores:

Selected Query Identity Store:

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:

NetEng

Authorization Exception Policy Matched Rule:

Other

ACS Session ID:

NAWDM1ACS-A01-DC03/63492254/359

Author Reply Status:

Other Attributes:

ACSVersion=acs-5.1.0.44-B.2347
ConfigVersionId=38
Device Port=22378
Protocol=Tacacs
Type=Authorization
Service=None
Port=tty1
Remote-Address=10.32.128.26
Service-Argument=shell
AuthenticationIdentityStore=Internal Users
AuthenticationMethod=Lookup
SelectedAuthenticationIdentityStores=Internal Users
UserIdentityGroup=IdentityGroup:All Groups:Administrators:NetEng

Re: ACS 5.1 appliance and 3750 Switch

Dear Joseph

Configuring AAA  with ACS is not so complicated.

Please follow the below steps :

1] Create Loopback Add in router for Management & Communication with ACS Server.

2] Add loopback address in ACS server with Pre-Shared Key with TACACS+ protocol & check mark frist option. ( As below you can see some option that you need to select or check mark)

3] If you are using loopback address then user ip tacacs source interface looback(number)

4] Configure AAA In router but after adding the loopback Ip address in ACS that you had configured in router for management.

5] Create a group in ACS for different privilege access & in that group you can see authorization section , were you need to give authorization with initial   command.

For Example : Create an group and give privilege access of level 15 & in authorization section give command conf t and add in permit list.

And as you shared tha AAA command , I Personaly not recommend to use that one becasue it will not work when your ACS server will fail.

With TACACS group add local also , So if ACS will fail then you can login with local user.

Regards

Chetan kumar

1886
Views
0
Helpful
7
Replies