hi i am having problem with command authorisation with acs. i am having a full version of acs 3.3
i have configured my router like this.
aaa authentication login default none
aaa authentication login john default group tacacs+
aaa authorization console
aaa authorization exec bob group tacacs+
aaa authroization commands 5 bob group tacacs+
aaa authroization commands 15 bob group tacacs+
line vty 0 4
login authentication john
authorization exec bob
authroization commands 5 bob
authorization commands 15 bob
on the acs i have specified per user shell command authorisation and i have created 2 users
john and bob
john is configured with level 15
unmatched commands are permitted with unmatched arguments
bob is the level 5 user configured with
unmatched commands (deny)
add command configure
arguments permit terminal
unmatched arguments (deny)
john gets authenticated and authroisaed properly.
bob get authenticated and authorised properly as level 5 user
but he can't see the configure command in the exec mode
when he triies to execute the command configure
in the debug
i tried the same with john
when the request is sent from the user john it show service none privilege=15
but for user bob it shows
service none privilege=1
why the command is showing as connect and the arg as configure for user bob. i am got no idea abt this. and it is working fine for john. what could be the problem can anyone help me with this pls.i have working a lot on this to get this working .
Re: strange problem with command authorisation on acs
In your query, you have mentioned that "john is configured with level 15 ". But here you didn'y mention about "John". If my understanding is correct, can you let me know the privrilege level you have configured for John.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...