Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 - Command set is empty "[ CmdAV= ]"

Hello,

I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.

The test cenary is this:

  • ACS 5.2
  • Router 2900 family IOS 15.0

The ACS is configured with:

Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).

The router is configured with the follows commands:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization commands 5 default group tacacs+

aaa authorization commands 10 default group tacacs+

aaa authorization configuration default group tacacs+

aaa session-id common

tacacs-server host xxxxxxxxxxx

tacacs-server key xxxxxxxxxxx

Troubleshoot:

  • In the reports (AAA Protocol > TACACS+ Authorization) the term "[ CmdAV= ]" is empty, no item was selected;

aaa log.png

  • In the router the privilege level is loaded, only the command set aren't:
    • Router#show privilege
    • Current privilege level is 15
  • debug aaa authorization:
    • Jan 16 12:56:28.549: AAA/BIND(000000F2): Bind i/f
    • Jan 16 12:56:30.317: AAA/AUTHOR (0xF2): Pick method list 'default'
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV cmd=
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): processing AV priv-lvl=5
    • Jan 16 12:56:30.333: AAA/AUTHOR/EXEC(000000F2): Authorization successful

Can anyone help me please?

Sorry for my english,

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

ACS 5.2 - Command set is empty "[ CmdAV= ]"

No I don't think it can be automatically loaded from ACS.

Instead of giving users priv level 5, you can give priv level 15 then you don't have to configure privilege commands on the router, because all commands are available to priv level 15 at the router. So you only need to configure commands set on ACS.

zhenning

4 REPLIES
Bronze

ACS 5.2 - Command set is empty "[ CmdAV= ]"

If you assign user priv level 5, you should add allowed commands to priv level 5 at the router using the 'privilege' commands. If the command is not permitted for priv level 5 at the router, the router will not ask ACS for command authorization.

Pls rate the post if it is helpful.

Zhenning

New Member

ACS 5.2 - Command set is empty "[ CmdAV= ]"

Ok. I did understand, but is there any way of automaticaly load this from ACS?

Thanks,

Bronze

ACS 5.2 - Command set is empty "[ CmdAV= ]"

No I don't think it can be automatically loaded from ACS.

Instead of giving users priv level 5, you can give priv level 15 then you don't have to configure privilege commands on the router, because all commands are available to priv level 15 at the router. So you only need to configure commands set on ACS.

zhenning

New Member

Re: ACS 5.2 - Command set is empty "[ CmdAV= ]"

Thank you. I liked the idea and will do so.

1818
Views
9
Helpful
4
Replies
CreatePlease login to create content