Enabling aaa authorization on pix/asa

I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?

Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
EDIT:
Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?

Similar Messages

  • AAA Authorization on PIX

    I have set up authentication and Authorization on the PIX. Authentication works but Authorization fails. I try to debug but nothing shows up (on PIX or ACS), but it does if I debug Authentication

    Make sure you have enable authentication ,
    aaa authentication ssh console TACACS LOCAL
    aaa authentication telnet console TACACS LOCAL
    aaa authentication enable console TACACS LOCAL
    aaa authorization command TACACS LOCAL
    Incase it does not work pls get aaa config
    Regards,
    ~JG
    Do rate helpful posts

  • TACACS config for PIX & ASA

    I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

    I am actually looking for a similar command which I used on the Cisco 2950/3750
    aaa new-model
    aaa authentication login default group tacacs+ enable local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

  • AAA authorization not working

    Hi,
    Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
    When connected to console it worked-  Authenticated and then supplied the enable password.
    When telneted : it says "access approved" and  "authorization failed"
    Relevant switch configuration is as follows  and also debug of aaa authorization.
    +++++++++++++++++++++++++++++
    no service single-slot-reload-enable
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    hostname Switch
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication enable default enable
    aaa authorization config-commands
    aaa authorization exec default group radius if-authenticated local
    aaa authorization commands 15 default group radius if-authenticated local
    enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
    username cisco privilege 15 password 7 05080F1C224233 
    vlan 10
    vlan 120
    ip subnet-zero
    vtp mode transparent
    spanning-tree extend system-id
    interface FastEthernet0/1
      switchport access vlan 10
      switchport mode access
      no ip address
      spanning-tree portfast
    interface GigabitEthernet0/1
      no ip address
    interface GigabitEthernet0/2
      no ip address
    interface Vlan1
      no ip address
      shutdown
    interface Vlan120
      ip address 10.12.8.70 255.255.255.240
    ip default-gateway 10.12.8.65
    ip classless
    ip http server
    radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
    radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
    radius-server retransmit 3
    radius-server key cisco
    line con 0
    line vty 0 4
      password 7 grrfcb7swe
      transport input telnet
    line vty 5 15
    end
    Debug output :
    Switch#
    21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
    21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
    21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
    21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
    21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
    21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
    21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
    21:45:07: AAA/AUTHEN (2947331915): status = PASS
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
    21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
    21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
    21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
    21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
    Switch#
    Switch#
    Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
    Please share the experience.
    Thanks in advance,
    Subodh

    Hi Subodh,
    I understand that you are trying to use command authorization using RADIUS.
    aaa authorization commands 15 default group radius if-authenticated local
    Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.
    Please refer the following link:
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
    You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
    Regards,
    Karthik Chandran
    *kindly rate helpful post*

  • AAA Authorization with RADIUS and RSA SecurID Authentication Manager

    Hi there.
    I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
    I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
    #aaa new-model
    #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
    #aaa authentication login default group radius enable
    #aaa authorization exec default group radius local
    I have also tried
    #aaa authorization exec default group radius if-authenticated local
    I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
    I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
    I've turned on RADIUS debugging on the IOS device, and I dont get anything either
    I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
    I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

    I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
    I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
    The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

  • AAA authorization commands

    Hi All
    Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
    Following is my aaa part config
    username cisco privilege 15 secret cisco 
    aaa new-model
    aaa authentication login default local enable
    aaa authorization exec default local if-authenticated
    aaa authorization commands 15 default local if-authenticated
    Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
    Would really appreciate your quick reply
    Regards

    Thanx a lot for your quick response. Really appreciate that.
    So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
    that is following should be the config
    username cisco privilege 15 secret cisco 
    aaa new-model
    aaa authentication login default local enable
    aaa authorization exec default local if-authenticated
    privilege exec level 15 show   (just an example)
    privilege exec level 15 debug
    I have tested this and it worked fine without using "aaa authorization command level"
    Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  
    So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
    will really appreciate your kind response

  • Slow response on AAA Authorization

    Hi,
    We were configuring the AAA to use one of the TACACS server for authentication,authorization and accounting purpose. When we did the same, the command executed response become slow and even some times gives a message authorization failed. We thought, there should be useful information on the TACACS server to debug the same, but we were not able to find any message like that. The below is the config added and when we remove the configuration of AAA the login response and the command execution are good. We checked the path to reach from this router to TACACS server and seems good with no packet loss. Your asssistance would be really appreciated.
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    tacacs-server host <ip address> timeout 5
    tacacs-server directed-request
    tacacs-server key <key>
    Regards
    Anantha Subramanian Natarajan

    Hi JG,
    Thanks for the reply.
    Actually, I am not sure whether on our TACACS server,the single connect TACACS+ is enabled or not but I am just curious as the other router having same platform with same configuration details connecting to the same TACACS server is working fine.
    The error message appears frequently and atleast not specific to some command. Infact every other time, it gives the error.
    Our TACACS and SNMP engineer is suggesting to chenage the IOS as it seems have some identified bug related to the SNMP and hopefully we are planning to do the same.
    Meantime , if you can know something more precise or any suggestions would be hugely appreciated.
    Thanks
    Regards
    Anantha Subramanian Natarajan

  • AAA authorization exec explanation please....thank you

    If I have this:
    aaa authentication login default grouptacacs+ local line none
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local none
    username localadmin password 7 xxxxxxxxxxxx
    enable secret 5 xxxxxxxxxxxxxxxx
    And all tacacs+ servers are unreachable.
    Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?
    If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?
    If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?
    Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?
    Thanks
    Gene

    Gene
    I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:
    aaa authorization exec default group tacacs+ if-authenticated
    and find that it works well - whether the TACACS server is available or not.
    HTH
    Rick

  • AAA authorization with ACS 3.2

    I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

    Marek
    1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
    2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
    I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
    3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
    I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
    4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
    HTH
    Rick

  • Aaa authorization console command

    Hi,
    I don't really understand the need of the command "aaa authorization console".
    We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    Am I wrong? Or do these lines apply only to the VTY linse?
    Thanks by advance

    I learned this locking out form console today in the hard-way
    we use as standard
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default local group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.
    So no way to log in without the hard way rebooting and reconfiguring again

  • AAA problems PIX/ASA

    Hello
    I have a problem with authentication on my network. Here I have support level 2 and level 3.
    Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
    I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
    My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
    the only firewalls on my line is this Authorization below
    Authorization TACACS + aaa command LOCAL
    I have to configure anything else?
    I can not create command line only for Firewalls.
    I'm missing something? something missing?
    my firewall and IOS versions:
    Pix: 6.3
    ASA 6x, 7x, 8x
    thanks for help
    Digite um texto ou endereço de um site ou traduza um documento.
    Cancelar
    Ouvir
    Ler foneticamente
    Tradução do português para inglês

    My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
    There is a way to create separate privileges between switches and firewalls?
    output of routers and firewalls. Switches and routera are the same
    switches
    aaa authentication login ACS-AUTH group ACS-TACACS local
    aaa authorization config-commands
    aaa authorization exec ACS-AUTH group ACS-TACACS local
    aaa authorization commands 15 default group ACS-TACACS local
    aaa accounting exec default start-stop group ACS-TACACS
    aaa accounting commands 15 default start-stop group ACS-TACACS
    firewalls
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (transit) host x.x.x.x
    aaa-server RADIUS protocol radius
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication http console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication telnet console TACACS+ LOCAL
    aaa accounting enable console TACACS+
    aaa accounting ssh console TACACS+
    aaa accounting command privilege 15 TACACS+

  • Aaa authorization commands for pix 535

    Hi ,
    Can you provide aaa authorization commands for pix 535
    Sanjay Nalawade.

    Hi,
    Please find the AAA config for PIX.
    aaa-server TACACS+ protocol tacacs+
    max-failed-attempts 5
    aaa-server TACACS+ (ExranetFW-In) host
    timeout 5
    key ********
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication serial console TACACS+ LOCAL
    aaa authentication http console TACACS+ LOCAL
    aaa authentication ssh console TACACS+ LOCAL
    aaa authorization command LOCAL
    aaa accounting command privilege 15 TACACS+
    aaa authorization exec authentication-server
    Karuppuchamy

  • Command execution get very slow when AAA Authorization enable on ASR 1006

    Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
    These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
    Did any one face such issue , and how it is fix ...
    See the Show version for ASR
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Thu 24-Mar-11 23:32 by mcpre
    Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
    All rights reserved.  Certain components of Cisco IOS-XE software are
    licensed under the GNU General Public License ("GPL") Version 2.0.  The
    software code licensed under GPL Version 2.0 is free software that comes
    with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
    GPL code under the terms of GPL Version 2.0.  For more details, see the
    documentation or "License Notice" file accompanying the IOS-XE software,
    or the applicable URL provided on the flyer accompanying the IOS-XE
    software.
    ROM: IOS-XE ROMMON
    NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
    Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
    System returned to ROM by reload
    System restarted at 17:47:32 IST Thu Oct 4 2012
    System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
    Last reload reason: EHSA standby down
    AAA Commands on ASR 1006
    aaa new-model
    aaa group server tacacs+ tacgroup
    server 10.48.128.10
    server 10.72.160.10
    ip vrf forwarding Mgmt-intf
    ip tacacs source-interface GigabitEthernet0
    aaa authentication login default group tacgroup local
    aaa authentication enable default group tacgroup enable
    aaa accounting exec default start-stop group tacgroup
    aaa accounting commands 1 default start-stop group tacgroup
    aaa accounting commands 15 default start-stop group tacgroup
    aaa accounting connection default start-stop group tacgroup
    aaa accounting system default start-stop group tacgroup
    aaa authorization commands 0 default group tacgroup none
    aaa authorization commands 1 default group tacgroup none
    aaa authorization commands 15 default group tacgroup none
    aaa session-id common
    tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
    tacacs-server key 7 053B071C325B411B1D25464058

    I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
    You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
    server 10.48.128.10
    server 10.72.160.10
    to
    server 10.72.160.10
    server 10.48.128.10
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • "authorization exec" on PIX/ASA

    I'm seeing posts that hit all around my questions, and based on my intereptation of the documentation it appears that there is no "shell exec" authorization available to the PIX when configured to use a TACACS+ server for authentication. Is this true? The problem I have is that whenever I create a new username in SecureACS that user (w/default settings) is immediately able to login and get a shell prompt on our PIX and ASA devices. I see no means (other than a NAR) that will restrict the user from getting a shell. Am I missing something?
    I know I can do command authorization, but exec authorization seems to be a glaringly missing feature.
    For example, how do I allow a user to be authenticated for a WebVPN session (via TACACS), but not be allowed to login via SSH for administration?

    Hi,
    Yes, you are correct, currently there is no shell exec on pix/asa, that we have on all routers and switches. In case you are using TACACS+ for WebVPN, and dont want to allow them to login via SSH for administration, probably you can try the same login that is used in Access Points,
    Actually what happens in, if you have ever came across mac authentication on AP's. On local database of AP, user accounts are created using the mac address as username/password. But interesting thing is, they have *autocommand* in the end i.e.
    username xxxx password xxxx
    username xxxx autocommand exit
    So what actually happens here is, though user is authenticated, but if that user tried to use their MAC address to log into AP [If they think they are cleaver enough], then they will login in and will be kicked out automatically.
    Havnt tried this yet, probably we can use same logic with PIX/ASA. Making use of "auto command" under "TACACS+ Settings" for a group/user.
    Probably, I'll do a small re-create of it and will let you know, you try at your end.
    Regards,
    Prem

  • Aaa authorization (device doesn't always go into enable mode)

    When I log into the 4500 switch with my domain account, I get priv 1 only and have to “enable” with the local enable password to get to priv 15.  How do I set this up to get directly to enable? The ACS 5.1 is setup with a authorization/shell profile for Priv 15, no problems there.
    2821-RTR2#show run | incl aaa
    aaa new-model
    aaa authentication login default group tacacs+ local enable
    aaa authentication login CONSOLE local-case line
    aaa authorization exec default group tacacs+ none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    4500 that drops into enable mode
    4500-SW1#show run | incl aaa
    aaa new-model
    aaa authentication login default group tacacs+ local enable
    aaa authentication login CONSOLE local-case line
    aaa authorization exec default group tacacs+ none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common

    On the non-working device enable:
    debug aaa authen
    debug aaa author
    debug tacacs
    and post the results.
    Also, on ACS 5.1 review the details for the authen/author on both the working and non-working devices and see if the desired shell profile is picked for the non-working device.

Maybe you are looking for