how to solve authorization errors in tacacs

Document ID : KB000097890
Last Modified Date : 06/06/2018
Show Technical Document Details
Question:
I have configured TACACS+ integration in PAM, but no matter what user I a using I always get an authorization failure. What can I do ?
Answer:
The group that ACS is returning must match exactly the one defined in CA PAM. Let's take you have created in PAM a group by the name your_pam_user_group, and in TACACS you have as well a group like that one. We will demonstrate this for Cisco ACS 5.6, but other versions will have a similar procedure

To verify that the right group is returned to PAM you will need to access the ACS server and navigate to:

CiscoACS> Access Policies > Access Services > your_pam_user_group > Group Mapping 

You'll see that Identity group is set to "All Groups", then you can find 

Access Policies > Access Services > Default Device Admin > Authorization > Rule-<Name> for "All Groups" returning 

<Name> shell profile. 

Then you can navigate to 

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Edit: "<Name>"

and select "Custom attributes" - you'll see "group" attribute value. 

This is the group that will be returned by TACACS+. In this case you would want to make sure this is your_pam_user_group

You need to make sure that either this returns the right group to PAM or that a group is created in PAM having the same name as appearing in the group attribute value for the <Name> shell profile