I have configured TACACS+ integration in PAM, but no matter what user I a using I always get an authorization failure. What can I do ?
The group that ACS is returning must match exactly the one defined in CA PAM. Let's take you have created in PAM a group by the name your_pam_user_group, and in TACACS you have as well a group like that one. We will demonstrate this for Cisco ACS 5.6, but other versions will have a similar procedure
To verify that the right group is returned to PAM you will need to access the ACS server and navigate to:
CiscoACS> Access Policies > Access Services > your_pam_user_group > Group Mapping
You'll see that Identity group is set to "All Groups", then you can find
Access Policies > Access Services > Default Device Admin > Authorization > Rule-<Name> for "All Groups" returning
<Name> shell profile.
Then you can navigate to
Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Edit: "<Name>"
and select "Custom attributes" - you'll see "group" attribute value.
This is the group that will be returned by TACACS+. In this case you would want to make sure this is your_pam_user_group
You need to make sure that either this returns the right group to PAM or that a group is created in PAM having the same name as appearing in the group attribute value for the <Name> shell profile