Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
4
Helpful
3
Replies

AAA

asit1111990
Level 1
Level 1

‎10-02-2016 08:28 PM - edited ‎03-11-2019 12:07 AM

Hello Team,

i was going through a AAA configuration i came across two commands:-

  • aaa authorization commands 1 TACACS_USER group TACACS
  • aaa authorization exec  EXEC_AUTHOR group tacacs local

As per my knowledge first command is gives command privileges when the users are at privilege level 1 0 and 15 ie when user are at privilege level 1 they are allowed to perform certain commands specified in the TACACS server under their respective username and password 

The second command provides user to perform certain commands when he is in privilege exec mode

Please correct me if i am wrong.

My question is that when user is at privilege exec mode he is in privilege level 15 so whats the difference between first and second command

My second question is what is difference between TACACS and RADUIS .. when do we use TACACS and when do we use RADIUS ?

Thank you!

Labels:
0 Helpful
3 Replies 3

Gagandeep Singh
Cisco Employee
Cisco Employee

‎10-02-2016 11:38 PM

The first command means only level 0,1 will be checked against TACACS server.

Second means to allow direct access to exec mode with bypassing enable. In order to achieve, need to push priv 15 from TACACS server.

You can configure Command Set for full access or as per your commands allowed for users.

TACACS is used for 

  1. Device Administration. Controlling access to who can login to a network device console, telnet session, secure shell (SSH) session, or other method is the other form of AAA that you should be aware of. This is AAA for device administration, and while it can often seem similar to network access AAA, it is a completely different purpose and requires different policy constructs.

RADIUS used for

2. Network Access. Securing network access can provide the identity of the device or user before permitting the entity to communicate with the network. This is AAA for secure network access.

reference below document

http://www.networkworld.com/article/2838882/radius-versus-tacacs.html

Regards

Gagan

ps : rate if it helps!!!!

asit1111990
Level 1
Level 1
In response to Gagandeep Singh

‎10-03-2016 08:35 PM

Hi Gagan,

Thank you for your reply

So when i am configuring aaa authorization exec  EXEC_AUTHOR group tacacs local the privilege level of user should always be 15 . And when i configure the command it will give user direct access to privilege executive mode and not to the user mode and with a privilege level 15 Right ?

Then what does  aaa authorization commands 15 TACACS_USER group TACACS do ?

Thanks! 

0 Helpful

Gagandeep Singh
Cisco Employee
Cisco Employee
In response to asit1111990

‎10-04-2016 04:51 AM

Please refer below doc, you will get your all answers

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/99361-acs-shell-auth.html

Regards

Gagan

PS : rate if it helps!!!!!

0 Helpful
Customers Also Viewed These Support Documents