Re: AAA authorization configuration issue

Julio,

The config below seems to be missing some more lines related to the
priviledge level. Although you are using ACS to authorize these commands,
you still need to configure them on the IOS router at that privildge level.
I know it sounds weird as this would be a duplicated effort but thats just
the way it works. So say for example, I need to authorize rip configuration
with the command "router rip" I will have to add this configuration to yours
(ofcourse this will also be part of the authorize set config on ACS):

R1(config)#privilege exec level 2 configure terminal
R1(config)#privilege configure ?
  all All suboption will be set to the samelevel
  level Set privilege level of command
  reset Reset privilege level of command

R1(config)#privilege configure level 2 router rip
R1(config)#
R1(config)#do sh run | i privi
privilege configure level 2 router
privilege exec level 2 configure terminal
privilege exec level 2 configure

Try that out and let us know if it works...

HTH,
Sadiq

On Tue, Sep 8, 2009 at 9:48 AM, Julio Carrasco <julio.carrasco_at_ya.com>wrote:

> Hi all,
>
> I have configured a Cisco 7609 router, with aaa, and everything seems to be
> working fine except for the authorization for commands:
>
> My configuration is like that:
>
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 2 default group tacacs+ local
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 3 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa session-id common
> ip tacacs source-interface Loopback1
> tacacs-server host 192.168.100.1 timeout 5
> tacacs-server key 7 xxxxxxxxxxxxxxxx
>
> I have created a user in a group with privilege level 2, on the TACACS
> server
> (an ACS 4.2), and I have applied a shell authorization set for this group
> of
> level 2 users, with just a few commands, to test if the authorization for
> the
> commands is got from the ACS server.
> It seems that is not working, so if a log in on the router, with the level
> 2
> user, and I issue the "show privilege" command, I see, that the privilege
> is
> 2, as I configured on the TACACS+ server. But whe I try to issue the
> commands,
> that I included in the shell command set, It doesn4t allow me.
>
> Do anyone have a clue, why my configuration is not working ???
>
> Best regards and thanks in advance !!!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net