Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
!
!
aaa group server tacacs+ ACS
server 10.90.0.11
!
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
!
tacacs-server host 10.90.0.11 key cisco
!
!
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
!
Hope you can help me with this one..
Regards,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
!
!
aaa group server tacacs+ ACS
server 10.90.0.11
!
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
!
tacacs-server host 10.90.0.11 key cisco
!
!
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
!
Hope you can help me with this one..
Regards,