https://community.cisco.com/t5/network-access-control/aaa-radius-and-privilege-levels/m-p/1683152#M247600 <HTML><HEAD></HEAD><BODY><P>Yes you can do it by using Tacacs or Radius:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ none</P><P></P><P>You need to manually define all the commands for users in privilege level 7 using "privilege" commands.</P><P>For ex:</P><P>privilege interface level 7 shutdown</P><P>privilege configure level 7 interface</P><P>privilege exec level 7 conf t</P><P>privilege exec level 7 write memory</P><P>privilege exec level 7 reload</P><P>privilege exec level 7 show run</P><P></P><P> Then you need to configure Tacacs/Radius server to return privilege level 7:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml">http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml</A></P><P></P><P>Zhenning</P></BODY></HTML> Thu, 14 Jul 2011 20:47:37 GMT zhenningx 2011-07-14T20:47:37Z https://community.cisco.com/t5/network-access-control/aaa-radius-and-privilege-levels/m-p/1683151#M247583 <P><SPAN style="font-size: 12pt;">Is it possible to set up Exec level privleges and their associated commands in RADIUS? I am looking to set up a sub level, say 7, with limited CLI privileges. I can do this locally but want to have the person telnet to router, get authenticated by RADIUS with their normal login ID and password ( like they do everyday when logging into their desktop), and then have them be able to get on the CLI with the corresponding privilege level 7 and limited commands. Is this possible and if so how?</SPAN></P> Mon, 11 Mar 2019 01:13:25 GMT https://community.cisco.com/t5/network-access-control/aaa-radius-and-privilege-levels/m-p/1683151#M247583 don.mcdaniel 2019-03-11T01:13:25Z https://community.cisco.com/t5/network-access-control/aaa-radius-and-privilege-levels/m-p/1683152#M247600 <HTML><HEAD></HEAD><BODY><P>Yes you can do it by using Tacacs or Radius:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ none</P><P></P><P>You need to manually define all the commands for users in privilege level 7 using "privilege" commands.</P><P>For ex:</P><P>privilege interface level 7 shutdown</P><P>privilege configure level 7 interface</P><P>privilege exec level 7 conf t</P><P>privilege exec level 7 write memory</P><P>privilege exec level 7 reload</P><P>privilege exec level 7 show run</P><P></P><P> Then you need to configure Tacacs/Radius server to return privilege level 7:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml">http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml</A></P><P></P><P>Zhenning</P></BODY></HTML> Thu, 14 Jul 2011 20:47:37 GMT https://community.cisco.com/t5/network-access-control/aaa-radius-and-privilege-levels/m-p/1683152#M247600 zhenningx 2011-07-14T20:47:37Z