12-24-2001 10:25 AM - edited 02-21-2020 09:58 AM
How do you tie down access to different user groups when you are using a tacacs server for other activities as well as router access ?
01-01-2002 06:59 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
01-24-2002 07:32 AM
If I understand correctly, what you are saying is
you have 2 groups say A and B and A is allowed to configure the routers - call them admingroup but B is only allowed to do some basic commands like show version (call them usergroup). Am I correct ?
if so you can configure different privileges for each group.
If this is not, pls. clarify and explain more.
01-25-2002 06:00 AM
I want to allow Group B only some basic commands, and give them the privilege-level 5. The available commands for Group B I will configure in the Cisco Secure Access Server, but my debug shows that no commands are trasmitted so the group have no executeable commands.
Where I have to configure the commands in the ACS ??
I have already tried in the advanced TACACS settings, but I ever failed.
Thanks for any configuration tips!!
01-29-2002 07:44 AM
What we have done using TACACS+ for Linux is create group profiles, and allow/restrict commands depending on profile.
group = admingroup {
cmd = enable { permit .* }
cmd = exit { permit .* }
cmd = logout { permit .* }
cmd = configure { permit .* }
cmd = debug { permit .* }
cmd = write { permit .* }
cmd = clear { permit .* }
cmd = show { permit .* }
cmd = shutdown { permit .* }
cmd = interface { permit .* }
cmd = aaa { permit .* }
cmd = traceroute { permit .* }
cmd = ping { permit .* }
cmd = no { permit .* }
cmd = ip { permit .* }
cmd = description { permit .* }
cmd = snmp-server { permit .* }
cmd = access-list { permit .* }
# Catalysts Switch specifics - IOS based
cmd = dir { permit .* }
cmd = vlan { permit .* }
cmd = switchport { permit .* }
cmd = spanning-tree { permit .* }
cmd = port { permit .* }
cmd = set { permit .* }
}
group = opsgroup {
cmd = exit { permit .* }
cmd = logout { permit .* }
cmd = show { permit .* }
cmd = traceroute { permit .* }
cmd = ping { permit .* }
cmd = configure { deny .* }
cmd = terminal { permit monitor }
cmd = debug { permit .* }
cmd = enable { deny .* }
}
On the routers also make sure level 0 commands are controlled using:
aaa authorization commands 0 default group tacacs+
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide