Thank you to Chris Evans for this sample (and tested) config:
Cisco ACS has a built in list of
known IOS commands. Under my user group I had the authorization set to none,
but it still rejected the Comware commands. I had to change the ‘shell command
authorization set’ to ‘per group command authorization’ and then told it to
permit unmatched commands.
*I’m on ACS version 4.1.1(23) so
the experience might be different for newer versions.*
Final working config:
hwtacacs scheme tacacs+
primary authentication x.x.x.x
primary authorization x.x.x.x
primary accounting x.x.x.x
nas-ip <src IP>
key authentication <password>
key authorization <password>
key accounting <password>
user-name-format without-domain
domain aaa
authentication default hwtacacs-scheme tacacs+ local
authorization default hwtacacs-scheme tacacs+ local
accounting default hwtacacs-scheme tacacs+ local
access-limit disable
state active
idle-cut disable
self-service-url disable
user-interface vty 0 4
authentication-mode scheme
command authorization
command accounting
No comments:
Post a Comment