Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with TACACS+ (ACS) and Cat 2950

I've configured the 2950 as below and configured ACS correctly and I can login to the 2950 using this config, the problem lies after I go into enable and try any command I get the following error Command authorization failed.

What have I missed out of the config that will allow me to run any commands?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization network default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

tacacs-server host ***.***.***

tacacs-server key 7 ***********

Thanks in advance.

Jon

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Problem with TACACS+ (ACS) and Cat 2950

Hi Jon,

The switch's AAA looks ok, maybe you need to take a look at your ACS.

Check the following info, where you might need to apply it into your ACS config:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

rgds,

AK

2 REPLIES

Re: Problem with TACACS+ (ACS) and Cat 2950

Hi Jon,

The switch's AAA looks ok, maybe you need to take a look at your ACS.

Check the following info, where you might need to apply it into your ACS config:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

rgds,

AK

Hall of Fame Super Silver

Re: Problem with TACACS+ (ACS) and Cat 2950

I will agree with AK that I do not see any obvious problems with the aaa configuration on the switch. I note that you specify authorization for level 15 commands. My guess is that in the configuration of ACS you are not allowing these commands for this user ID. A quick way to verify this would be to remove the aaa authorization for level 15 commands from the switch config and see if the behavior changes.

HTH

Rick

358
Views
0
Helpful
2
Replies
CreatePlease to create content