shell & enable on ACS 4.0

cassinhee — Sun, 10 Mar 2019 21:50:31 GMT

I am puaaed about shell and enable and the acordingly configuration on the client.

1)If I check shell under user group on ACS, I configured

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

2) If I also check enable on ACS and configure aaa authentication enable default group tacacs local

can I just use one of the two options or use them together?

Thanks!

Re: shell & enable on ACS 4.0

a.kiprawih — Wed, 15 Nov 2006 12:17:08 GMT

You can use them together:

1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd

You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).

But it's better to use TACACS+ for more control/centralized.

2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed

aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.

You can combine this with#1.

HTH

topic shell & enable on ACS 4.0 in Network Access Control

shell & enable on ACS 4.0

Re: shell & enable on ACS 4.0