Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

strange problem with command authorisation on acs

hi i am having problem with command authorisation with acs. i am having a full version of acs 3.3

i have configured my router like this.

R1

aaa new-model

aaa authentication login default none

aaa authentication login john default group tacacs+

aaa authorization console

aaa authorization exec bob group tacacs+

aaa authroization commands 5 bob group tacacs+

aaa authroization commands 15 bob group tacacs+

line vty 0 4

login authentication john

authorization exec bob

authroization commands 5 bob

authorization commands 15 bob

on the acs i have specified per user shell command authorisation and i have created 2 users

john and bob

john is configured with level 15

unmatched commands are permitted with unmatched arguments

bob is the level 5 user configured with

unmatched commands (deny)

add command configure

arguments permit terminal

unmatched arguments (deny)

john gets authenticated and authroisaed properly.

bob get authenticated and authorised properly as level 5 user

but he can't see the configure command in the exec mode

when he triies to execute the command configure

in the debug

av-user=bob

av-service=shell

av-cmd=connect

av-cmd-arg=configure

i tried the same with john

av-user=john

av-service=shell

av-user=configure

av-cmd-arg=terminal

when the request is sent from the user john it show service none privilege=15

but for user bob it shows

service none privilege=1

why the command is showing as connect and the arg as configure for user bob. i am got no idea abt this. and it is working fine for john. what could be the problem can anyone help me with this pls.i have working a lot on this to get this working .

sebastan

1 REPLY
Silver

Re: strange problem with command authorisation on acs

In your query, you have mentioned that "john is configured with level 15 ". But here you didn'y mention about "John". If my understanding is correct, can you let me know the privrilege level you have configured for John.

99
Views
0
Helpful
1
Replies