Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to enable Command Authorization in ACS?

hi,

I have ACS 4.1 for Windows!!

I am testing Cisco6513 for command authorization for a user.

The problem is that the switch is authorizing the commands which i have denied in ACs for that particular user.

I am attaching the screen shots.

Can any one tell me what i am missing?Does i need to put some some commands in 6513 to enable command authorization in the ACS?

My Switch config for ACS is:

aaa new-model

aaa group server tacacs+ name1

server ACSserver1

!

aaa authentication login default group name1 local

aaa authentication enable default group name1 enable

aaa authorization exec default group name1 if-authenticated

ip http authentication aaa

tacacs-server host ACSserver1

no tacacs-server directed-request

tacacs-server key xxxxx

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to enable Command Authorization in ACS?

You are missing these commands,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Regards,

~JG

Do rate helpful posts

6 REPLIES

Re: How to enable Command Authorization in ACS?

You are missing these commands,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Regards,

~JG

Do rate helpful posts

New Member

Re: How to enable Command Authorization in ACS?

Hi,

You need to apply these commands for authentication & authorization on the router/switch and ACS server.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group tacacs+

U can also exclude ur console from AAA --

line con 0

login authentication local_auth

exit

Plz rate it if helpful .....

New Member

Re: How to enable Command Authorization in ACS?

Thanks to both of you..Problem solved!!

New Member

Re: How to enable Command Authorization in ACS?

I have been looking for the command to exclude the console port but haven't found it. Can someone point me in the right direction?

Re: How to enable Command Authorization in ACS?

For that you need to set up a method list,

Username test privilege 15 password test

aaa new-model

aaa authentication login vty_login group tacacs local

aaa authentication login console_login local

aaa authorization exec vty_login group tacacs local

tacacs-server host key cisco

line vty 0 4

login authentication vty_login

line con 0

login authentication console_login

Regards,

~JG

Do rate helpful posts

New Member

Re: How to enable Command Authorization in ACS?

thank you very much.

193
Views
15
Helpful
6
Replies
CreatePlease login to create content