Configuring aaa local command authorization

i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

Hi,
For aaa authorization command set.Kindly refer to link.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
I hope this help.Please rate this post.
cheers
Sachin

Similar Messages

AAA issue ( command authorization failed)

I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
end

Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick

Question about usage of aaa accounting commands

Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,

Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security

Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi

Shell Command Authorization Sets ACS

hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi

ACS command Authorization on PIX Console

I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
ACS down, i wana to get console and access the device by using local username and password
but now after this configuration when i try to access the firewall via console, i m getting error of
command authorization fail.
I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
I have made the command authorization set in ACS and it is working fine for me,

kindly once again check my modified configuration,
I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem

Pix command authorization problem

help required
i am trying to configure pix firewall command authorization using cisco
secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
i cant get it to work!
i have included the pix firewall configuration below and have included
screen shots of the acs configuration as attachments
as you can see i can authenticate ok but that is as far as i can go
as soon as i try and use the enable command authorization fails
i cant even enter a password
i have created two shell command authorization sets
one called admins which is configured to allow all commands
and one called restricted which restrics me to only a few commands
if i apply the admins authorization set to the group where the user
resides i can authenticate and authorize and i have access to all
commands but if i apply the restrictd authorization set i get the
problem depicted below
i would appreciate it if someone could take a look and give me
some pointers as to where i am going wrong
regards
melvyn brown
interface ethernet0
nameif outside
ip address 110.1.1.1 255.255.255.0
speed 100
duplex full
no shut
interface ethernet1
nameif inside
ip address 192.168.8.2 255.255.255.0
speed 100
duplex full
no shut
route inside 192.168.7.0 255.255.255.0 192.168.8.1
route inside 192.168.3.0 255.255.255.0 192.168.8.1
aaa-server ACS1 protocol tacacs+
aaa-server ACS1 host 192.168.7.2
key cisco123
domain-name acme.com
crypto key generate rsa modulus 1024
telnet 192.168.3.2 255.255.255.255 inside
ssh 192.168.3.2 255.255.255.255 inside
aaa authentication enable console ACS1
aaa authentication serial console ACS1
aaa authentication ssh console ACS1
aaa authentication telnet console ACS1
aaa authorization command ACS1
Username: fred
Password: **********
Type help or '?' for a list of available commands.
pixfirewall> en
Command authorization failed
pixfirewall> ?
clear   Reset functions
enable Turn on privileged commands
exit    Exit from the EXEC
help    Interactive help for commands
login   Log in as a particular user
logout Exit from the EXEC
ping    Send echo messages
quit    Exit from the EXEC
show    Show running system information

Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

Command Authorization in ACS 5.0

Hi,
Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
OR
USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
Assigned specified commands to level 2
privilege exec level 2 undebug all
privilege exec all level 2 debug
The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
Also if i want to do shell command authorization set,how can i do it in ACS 5.0
Thanks,

You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.

Cisco 4.2 radius command authorization

Hi,
I am trying to do command authorization in radius. I have searched but i couldnt get any luck.
Is it possible to do this? if any yes can anyone tell me the steps. i would be great.
Thanks,

IOS does support command authorization, however, only with TACACS (updated by paul)
very Nice configuration example on command authorization with tacacs
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
Rgds, Jatin
Do rate helpful posts~

AAA -- Int range configuration gives "Command authorization failed" msg.

Versions involved:
AAA
ACS 4.1.4.13.12
Devices:
C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
HOST1184(config)#int range fastEthernet 0/1 - 3
HOST1184(config-if-range)# switchport access vlan 24
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
HOST1184(config-if-range)# dot1x max-req 1
HOST1184(config-if-range)# dot1x max-reauth-req 1
HOST1184(config-if-range)# dot1x reauthentication
HOST1184(config-if-range)# dot1x guest-vlan 280
HOST1184(config-if-range)# spanning-tree portfast
HOST1184(config-if-range)#!
OST1184(config-if-range)#end
HOST1184#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HOST1184(config)#int range fastEthernet 0/4 - 14
HOST1184(config-if-range)# switchport access vlan 24
Command authorization failed.
Command authorization failed.
Command authorization failed.
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
Command authorization failed.
HOST1184(config-if-range)# dot1x max-req 1
Command authorization failed.
HOST1184(config-if-range)# dot1x max-reauth-req 1
Command authorization failed.
HOST1184(config-if-range)# dot1x reauthentication
Command authorization failed.
HOST1184(config-if-range)# dot1x guest-vlan 280
Command authorization failed.
HOST1184(config-if-range)# spanning-tree portfast
Command authorization failed.
HOST1184(config-if-range)#!
The pieces of config are as follows:
aaa new-model
aaa group server radius dot1x
server 10.61.156.136 auth-port 1812 acct-port 1813
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group dot1x
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
enable secret 5 <removed>
logging 10.142.4.45
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location "SD"
snmp-server contact contact - [email protected]
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
no tacacs-server directed-request
radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
radius-server retransmit 3
Anyone out there has a solution for such a problem?
Regards,
AL

Hi JG, thanks for your response.
I don't have the appliance close to me, so I cannot check on this setting.
As soon as I have a chance, I will return with this info.
Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
Once again, thanks for your reply.
Regards,
AL

Configuring AAA to include local auth for Console connections

Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>

Would I add that as a separate line, or to the current one? Examples:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console
OR
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+

3640 - AAA/AUTHOR: config command authorization not enabled

Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
I attach you the files with config and logs.
Thanks you in advance.

Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik

Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request' % Incomplete command.

we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
no any command execute and get error.
Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.
please help.

Hi Anop
How did you get over this problem? I am having the same issue.
Regards
Rohan

Command authorization error when using aaa cache

Hi,
I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
% tty2 Unknown authorization method 6 set for list command
The command is then always authorized against the tacacs server.
The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
Deleting the cache entry and using only the tacacs group the error message disappears.
Any suggestions?
Thanks.
Frank
======
config
======
aaa new-model
aaa group server tacacs+ group_tacacs
server 10.10.10.10
server 10.10.10.11
cache expiry 12
cache authorization profile admin_user
cache authentication profile admin_user
aaa authentication login default cache group_tacacs group group_tacacs local
aaa authentication enable default cache group_tacacs group group_tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default cache group_tacacs group group_tacacs local
aaa authorization commands 15 default cache group_tacacs group group_tacacs local
aaa accounting exec default start-stop group group_tacacs
aaa cache profile admin_user
profile admin no-auth
aaa session-id common
tacacs-server host 10.10.10.10 single-connection
tacacs-server host 10.10.10.11 single-connection
tacacs-server directed-request
tacacs-server key 7 <removed>
============
debug output
============
ap#
Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
ap#
Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
priv=15 vrf= (id=0)

Hi,
I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
Regards,
Vivek

Configuring AAA Authorization on ACS 4.1

Hi,
Can anybody provide me links to any good documentation on how to configure AAA Authorization using Command Shell on the ACS 4.1 ? I would be really grateful if someone one can point me few links.
Thanks,
Meet

Hi
I would try looking at this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml
This describes how to plan, design and build shell cmd auth config in ACS.
Darran

Configuring aaa local command authorization

Similar Messages

Maybe you are looking for