Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1172
Views
0
Helpful
1
Replies

ACS 5.1 Device Admin privilege assignment

ww9rivers
Level 1
Level 1

‎12-01-2011 02:03 PM - last edited on ‎03-25-2019 05:28 PM by Community Manager

I think I am doing the same thing as described in this document: https://supportforums.cisco.com/docs/DOC-16027

However, my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.

The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).

Also, I found this document via Google:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml#t2

The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.

So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?

Any help would be great! Thanks!

--

Wei

Labels:
0 Helpful
1 Reply 1

ww9rivers
Level 1
Level 1

‎12-02-2011 07:14 AM

Indeed, a device must have the "aaa authorization exec" command for privilege assignment from ACS to work.

In my device, running IOS 12.2(53)SG3, the configuration should be:

    aaa authorization exec default local group tacacs+

That allows the device to try the local enable secret and then TACACS+ authorization.

0 Helpful
Customers Also Viewed These Support Documents