Hi,

I redo my tacacs server config and did what you have outlined with the same config on my cisco device.

During login, the privilege is at level 5 alright but the commands available are that of level one. Moreso, "enable" command is also available and if the user knows the enable password, this user will have access the global config and configuration config. Isn't the tacacs config you have outlined would limit the user to those commands only?

Im at loss right now. :)

OK. You're doing authorization for level 5 commands on this router, but you haven't actually put any commands in at level 5. Even though the user comes in at level 5, all commands are still either at level 1 or 15. If you want to limit the users, just do:

> aaa authorization commands 1 default group tacacs

This way all commands they type in will be authorized against the TACACS server. Make sure that you allow a back-door to get you into enable mode, otherwise you may well lock yourself out of this router. Ensure that you have at least one other user that has no command restrictions set, or better yet, do the following:

> aaa authentication login console none

> aaa authorization commands 1 console none

> line con 0

> login authentication console

> authorization commands 1 console

This way your console port will always be open.

Hi,

Actually I want to put specific commands on level 5 that a user can only issue. My problem is that, do i have to do that on the router/switches or on the tacacs server. I only want to have these users these commands:

show version

show running-config

show ip interface brief

ping

traceroute

Can you show me how to configure this at level 5?

Thanks,

jonathan

Use the privilege-exec command in the devices such as:

privilege-exec level 5 show version

You can either put them into level 5 on the router itself, as the previous person said, or just do it how I told you. This way all commands entered will be authorized against the TACACS server, and only the ones you have specifically entered will be allowed for those users with a Shell Command Authorization set against them. For everyone else you can simply allow all commands to be entered.

Hi,

Thanks for all your help. I have it finally running. Well, except for the blank page display for issuing 'sh run' from lower level privilege. i've read somewhere that it will only show what the user has configured. but since lower level users have no rights to do configuration, there is nothing to show. is there any workaround to this?

Check this out: http://www.cisco.com/warp/public/63/showrun.shtml

It may help you.

Thank you. These are all of great help.

Hi,

I have another set of problem. I have this for my NAS config:

aaa new-model

aaa authentication login default group tacacs+ none

aaa authentication login no_authen none

aaa authorization exec default group tacacs+ none

aaa authorization commands 0 group tacacs+ none

aaa authorization commands 1 group tacacs+ none

aaa authorization commands 15 group tacacs+ none

aaa authorization config-commands

the config works fine with telnet access. now im having a problem doing console. how will i do it so that these authorizations will not be applied to my console. Meaning, i want to have full privilege if i connect to console.

Many thanks,

jonathan

Jonathan,

The 4th reply, by gfullage, in this conversation tells how to do this.

gfullage recommends:

Ensure that you have at least one other user that has no command restrictions set, or better yet, do the following:

> aaa authentication login console none

> aaa authorization commands 1 console none

> line con 0

> login authentication console

> authorization commands 1 console

This way your console port will always be open.

Thank you.