01-11-2012 02:50 AM - edited 03-10-2019 06:42 PM
Hi ,
I trying to set the identity source to use Active Directory's reside credential as the method for authentication.
Connection between AD and ACS was establish and connected.
Problem statement:-
The moment i trying to telnet from remote site, i able to proceed on first state username-password authentication, but once come to enable password, it prompt me authentication failure even with the right password.
The error log for this case is "13029 Requested privilege level too high"
If i switch the identity source to local it won't have such problem.
Platform for these case is
- C6500 with IOS 12.2(33) SXJ1
- ACS 5.2.0.26
So, at ACS, i set the identity store at access policies > access_name > identity
For Device administration > shell profile in use setting the default privilege and maximum privelege to value 15. The name of sthe shell profiles is "full_privilege"
Below is my switch config snipet:-
aaa group server tacacs+ TAC_PLUS
server name AUTH
tacacs server AUTH
address ipv4 10.10.21.251
key xxxxxxxx
aaa authentication login TAC_PLUS group tacacs+ local
aaa authentication enable default group TAC_PLUS none
aaa authorization exec TAC_PLUS group tacacs+ if-authenticated
aaa authorization commands 15 TAC_PLUS group tacacs+ local
aaa authorization network TAC_PLUS group tacacs+ local
aaa accounting update periodic 1
aaa accounting exec TAC_PLUS start-stop group tacacs+
aaa accounting network TAC_PLUS start-stop group tacacs+
aaa accounting connection TAC_PLUS start-stop group tacacs+
please advice, thanks
Noel
Solved! Go to Solution.
01-11-2012 09:39 AM
Hello,
As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?
For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.
When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.
Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.
Hope this helps.
Regards.
01-11-2012 09:39 AM
Hello,
As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?
For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.
When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.
Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.
Hope this helps.
Regards.
01-12-2012 03:43 AM
Hi,
Sorry for late reply. I am staying at GMT+8 timezone, i guess there's a gap of time matter.
As you request, i attact the snapshot for you to refer.
On the switch the aaa config can found from above thread.
Million thanks !!!!!
Noel
01-16-2012 03:10 PM
Hi Noel, I have a similar problem as yours, I'm trying to fix with your comments but I have a doubt, could you please paste a print screen of your Access Policies profile named "Device Admin", I appreciate a lot your help.
Regards,
Juan Carlos
01-12-2012 08:32 PM
Hi Mejia,
You reply is the right answer, i create another rule and lookup usisng AD external group for authentication.
Thanks for your advice
Noel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide