ACS AAA config authorization error

01-29-2007

Hi all. I am really struggling to get my AAA config working. I have
added the follwoing config to my switches:-

aaa new-model
aaa authentication fail-message ^CAuthentication Failure: Please
check your password and try again!^C
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE line
aaa authorization exec default group tacacs+
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ ne
aaa authorization commands 15 default group tacacs+ ne
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default stop-only group tacacs+

However when I login with my acocunt name 'rmgd' and try to run any
commadns it says 'command authorization failed'. I have one user group
on the Cisco ACS V4 server but it isn't helping me debnug the problem
much.

I have run a 'debug aaa authorization' on the swithc and this is the
output:-

1w5d: tty2 AAA/AUTHOR/EXEC (4167861707): found list "default"
1w5d: tty2 AAA/AUTHOR/EXEC (4167861707): Method=tacacs+ (tacacs+)
1w5d: AAA/AUTHOR/TAC+: (4167861707): user=rmgd
1w5d: AAA/AUTHOR/TAC+: (4167861707): send AV service=shell
1w5d: AAA/AUTHOR/TAC+: (4167861707): send AV cmd*
1w5d: AAA/AUTHOR (4167861707): Post authorization status = PASS_ADD
1w5d: AAA/AUTHOR/EXEC: Processing AV service=shell
1w5d: AAA/AUTHOR/EXEC: Processing AV cmd*
1w5d: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
1w5d: AAA/AUTHOR/EXEC: Authorization successful
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): Port='tty2' list=''
service=CMD
1w5d: AAA/AUTHOR/CMD: tty2 (3304041969) user='rmgd'
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): send AV service=shell
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): send AV cmd=show
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): send AV cmd-arg=running-config
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): send AV cmd-arg=<cr>
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): found list "default"
1w5d: tty2 AAA/AUTHOR/CMD (3304041969): Method=tacacs+ (tacacs+)
1w5d: AAA/AUTHOR/TAC+: (3304041969): user=rmgd
1w5d: AAA/AUTHOR/TAC+: (3304041969): send AV service=shell
1w5d: AAA/AUTHOR/TAC+: (3304041969): send AV cmd=show
1w5d: AAA/AUTHOR/TAC+: (3304041969): send AV cmd-arg=running-config
1w5d: AAA/AUTHOR/TAC+: (3304041969): send AV cmd-arg=<cr>
1w5d: AAA/AUTHOR (3304041969): Post authorization status = FAIL

Any help would be rgreatly appreciated.

01-29-2007

have you associated network group whit user group? and have you enabled
command set?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Cannot login from ACS Admin -Cisco ACS 3.1	Sakirana Karabudak	Cisco	5	12-16-2009 04:49 PM
aaa<br /> gets turned into aaa<BR> with innerHTML	yawnmoth	Javascript	4	04-22-2009 01:09 AM
Cisco ACS 4.1 - Adding AAA Client	andrew_roberts@rogers.com	Cisco	1	04-13-2007 10:29 PM
aaa authorization and aaa accounting with Cisco ACS and 1231 AP's	Chris_D	Cisco	4	08-01-2005 08:03 AM
the different between aaa m1[100] and aaa *p = new [100]		C++	5	03-15-2005 08:22 AM