Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.2 - Unable to Map Command Set to Shell Profile

Hi everyone,

I am in the process of setting up ACS 5.2 for a network and have run into an issue when attempting to apply the following aaa commands to a network device:

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

      

Once the commands have been applied to the device configuration I get "command authorization failed" when attempting to do anything.  Taking a quick look at the TACACS Authorization reports I see a failure reason of "13025 Command failed to match a Permit rule" and under the Selected Command Set "DenyAllCommands" is listed. 

After doing a bit of searching, I noticed some articles online that indicate I should be able to specify the appropriate command set to the authorization profile under the Default Device Admin policy.  However, when I open up a Device Aministration Authorization Policy, nowhere in the window does it display command sets that I can select from. 

Any thoughts?  Is there something I'm missing somewhere else?  Thank you in advance for your assistance.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

ACS 5.2 - Unable to Map Command Set to Shell Profile

Hi there,

This is a very common situation, the problem here is that the Command Set option is not enabled by default. You need to customize the Authorization page using the "Customize button" at the bottom right of the page. Move the "Command Set" option to the right and click Submit, check the screenshots below:

After that you will be able to assign the "Command Set" value.

Rate if it helps!

4 REPLIES
Bronze

ACS 5.2 - Unable to Map Command Set to Shell Profile

Hi there,

This is a very common situation, the problem here is that the Command Set option is not enabled by default. You need to customize the Authorization page using the "Customize button" at the bottom right of the page. Move the "Command Set" option to the right and click Submit, check the screenshots below:

After that you will be able to assign the "Command Set" value.

Rate if it helps!

New Member

ACS 5.2 - Unable to Map Command Set to Shell Profile

Thank you kindly Mauricio!  That remedied the issue and I'm now in business.

Best Regards,

Dan Miller

New Member

ACS 5.2 - Unable to Map Command Set to Shell Profile

Thank you mauricio!!!, I was like 2 hours trying to figure out by my  seft! but I couldnt, Why isnt this option enabled by default!!

New Member

ACS 5.2 - Unable to Map Command Set to Shell Profile

Thank you, this has helped me a lot!

1882
Views
10
Helpful
4
Replies