Hello Federico,

Very Happy to see ur reply,hope we will reach to success for this thread.

• For example, are users on privilege level 2 not able to type any debug command? What is the error message that the switch is returning?

       when user login by his username and password in switch he is in exec mode ( >)  instead of privilege (#) mode.The username and password and                   user level 2 are set on ACS not configured in switch.

• I wanna authorize some commands for user level 2 denug and undebug
  

• If you'd like to permit any argument for a specific command, you should make sure to define the argument as a star *

     Atleast i should get the privilege (#) prompt to type debug or undebug command

Hi Mathew,

If you are assigning privilege level 2 to users, it is expected that the first prompt will be the one for the exec mode (>).

In order to enter the privilege mode you'd need to type the "enable" command.

Only users in privilege mode 15 could be expected to be prompted for the enable mode directly (#).

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

When i execute a command username cisco privilege 2 password cisco on switch it direct drops me in privilege mode of level 2 (#)  BUT when the user is only configured in ACS then it drops me in (>) ,

If i agree on your above words then i don't see any debug and undebug commands in ( >) mode for the particular user level 2

Thanks.

Hi Mathew,

If possible, would you mind attaching the configuration from your switch?

Usually, debug commands for privilege level 2 users should be available after entering the enable mode.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

Attached are the switch configs related to AAA,

Usually, debug commands for privilege level 2 users should be available after entering the enable mode.

But i m not able to get into enable mode after putting username and password it gives me (>) prompt please see in the attached.

Thanks

Hi Mathew,

In order to also enable authorization for commands on privilege level 2, you should add the following line to the switch:

aaa authorization commands 2 rus group tacacs+

!

line vty 0 4

authorization commands 2 rus

or simply

aaa authorization commands 2 default group tacacs+

Before playing with commands authorization, you may want to save the config on the switch (write memory). In case you'd accidently kick you out of command authorization, you could simply reload the switch so that you'll loose only the latest commands authorization changes.

Regarding the enable mode (#), when you are at the > prompt, please type "enable" and then enter.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

Regarding the enable mode (#), when you are at the > prompt, please type "enable" and then enter.

It does'nt accepts,without any password,

Thanks

Hi Mathew,

Let's quickly take a step backwards.

I quickly tested a simple config in our lab that, ported to your "rus" method, it should look like the following:

aaa authentication login rus group tacacs+

aaa authorization exec rus group tacacs+

aaa authorization commands 0 rus group tacacs+

aaa authorization commands 1 rus group tacacs+

aaa authorization commands 2 rus group tacacs+

aaa authorization commands 15 rus group tacacs+

!

line vty 0 4

authorization commands 0 rus

authorization commands 1 rus

authorization commands 2 rus

authorization commands 15 rus

authorization exec rus

login authentication rus

On ACS, the shell profile with privilege level 2 and command set for "debug .*" should be the one to use. So please be sure that under the argument of the debug command in the ACS command set you specify '.*' that means any argument.

Also, please note that "debug" commands on the switch are not available under privilege level 2 by default. So we'd also need to move the "debug" commands and all the needed arguments under privilege level 2:

privilege exec level 2 debug radius

privilege exec level 2 debug aaa authentication

privilege exec level 2 debug aaa authorization

etc.

Let me know if this helps,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

Very Nice Example,

• From ur example and attched PDF files i came to know that We have to apply  privilege level commands on switch as well as on ACS server so that's the reason i was not able to authorize the command ??? If we have to apply on both the switch and ACS then why we need ACS server????????
  

• But after applying also i m not able to authenticate (error in authentication ) untill and unless i specify the command enable secret level 2 cisco on switch when i try to login after username and password it ask's me for enable password , when i put the command switch > enable 2  and after than password than only i m placed in privilege level 2 and i m authorize to apply those debug and undebug commands. pls have a look on the attached.

• On ACS server when i create the username there are two options for password 1st option is user's password and 2nd option is enable password, this enable password specify to which level ???  I tried putting level 2 password but not accepted when i do telnet.when i apply enable secret level 2 cisco on switch than only it alllows me to enter in privilege level 2 mode.pls have a look on the attached.            

• I have also creted 1 user with username xyz privilege 15 password cisco when the user telnet and put his username and password he is placed in user exec mode ( >) instead of privilege mode (#) of level 15. Again i have to put the enable secret password of level 15 than only the user is placed in privilege 15.

Please have a look on the attached PDF files in section Task 4.1, Task 4.3,Task 4.4, Task 4.5,Ur example procedure  is same mathching  PDF

Thanks

Hi Mathew,

Few clarifications needed here:

1. We don't apply the same config for privileges/command on both the ACS and the swith.

On ACS we need to define which commands are allowed in the command set.

On the switch, if you have a user logged in with a certain privilege, and you want to authorize commands that are by default available only on a different privilege, then you need to move those commands to the user's privilege level where you want to have them.

2. No need for extra enable passwords on ACS as long as the switch is not configured to ask for one.

Please re-attach an updated version of your switch's configuration so to double check that it is aligned with what I tested here.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

• We don't apply the same config for privileges/command on both the ACS and the swith.

  On ACS we need to define which commands are allowed in the command set.

  On  the switch, if you have a user logged in with a certain privilege, and  you want to authorize commands that are by default available only on a  different privilege, then you need to move those commands to the user's  privilege level where you want to have them.

I did'nt understood what are u trying to explain But what i understand is the command set what we r permitting on switch is the same commands we r permitting on ACS, then what is the difference, Attached is the command set what i permitted on ACS and the same commands on switch.

• . No need for extra enable passwords on ACS as long as the switch is not configured to ask for one

         This enable passord on ACS refers where????

• version 12.2
  no service pad
  
  enable secret level 2 5 $1$3JuM$Qwx9ZmRixfbsnQ5YvoByh0
  enable secret 5 $1$bHw2$ZGFSLF2ZaYxwn/6wDhf9J.
  !
  username abc password 7 094F5B5E41531A
  username XYZ privilege 15 password 7 00071A150754
  username XXX password 7 06051A76141804
  
  aaa new-model
  aaa authentication login rus group tacacs+ local
  aaa authentication login console none
  aaa authorization exec default group tacacs+
  aaa authorization commands 2 default group tacacs+
  
• tacacs-server host 10.75.X.X key 7 01100F175804
  tacacs-server directed-request
  radius-server source-ports 1645-1646
  
• ip tacacs source-interface vlan 120
  privilege exec level 2 undebug all
  privilege exec level 2 undebug
  privilege exec level 2 debug all
  privilege exec level 2 debug
  !
  line con 0
  logging synchronous
  login authentication console
  line vty 0 4
  password 7 03074E5C5E592C
  login authentication rus
  line vty 5 15
  password 7 000706515C0D06
  login authentication rus

Thanks

Thank you Mathew,

Let me restate the previous points:

1. But what i understand is the command set what we r permitting on switch is the same commands we r permitting on ACS, then what is the difference?

[A] On the switch we are not permitting any set of commands: we are moving the commands that we permit through ACS to the privilege level 2 of the user we want to use.

The commands are permitted by ACS, not by the switch.

But we need to move the "debug" commands on the switch to privilege level 2, otherwise a user on privilege level 2 will not be able to see them.

2. The configuration you applied on your switch is not the same that I tested and recommended:

2a) You have

aaa authentication login rus group tacacs+ local

aaa authentication login console none

aaa authorization exec default group tacacs+

aaa authorization commands 2 default group tacacs+

This should be changed to

aaa authentication login rus group tacacs+

aaa authentication login console none

aaa authorization exec rus group tacacs+

aaa authorization commands 0 rus group tacacs+

aaa authorization commands 1 rus group tacacs+

aaa authorization commands 2 rus group tacacs+

aaa authorization commands 15 rus group tacacs+

2b) You have

line vty 0 4

password 7 03074E5C5E592C

login authentication rus

This should be changed to

line vty 0 4

authorization commands 0 rus

authorization commands 1 rus

authorization commands 2 rus

authorization commands 15 rus

authorization exec rus

login authentication rus

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

Please be patients with me,and i appreciate for being with me for this thread,GOD Bless U .

• [A] On the switch we are not permitting any set of commands: we are  moving the commands that we permit through ACS to the privilege level 2  of the user we want to use.

The commands are permitted by ACS, not by the switch.

But  we need to move the "debug" commands on the switch to privilege level  2, otherwise a user on privilege level 2 will not be able to see them.

This can be done without ACS also ???. I can move commands on privilege level 2 and i can give access to certain users on level 2  with enable secret password and they can  execute the commands.

• Here are the configs:

aaa new-model
aaa authentication login rus group tacacs+ local
aaa authentication login console none
aaa authorization exec rus group tacacs+
aaa authorization commands 2 rus group tacacs+

privilege exec level 2 undebug all
privilege exec level 2 undebug
privilege exec level 2 debug all
privilege exec level 2 debug
!
line con 0
logging synchronous
login authentication console
line vty 0 4
password 7 03074E5C5E592C
authorization commands 2 rus
authorization exec rus
login authentication rus
line vty 5 15
password 7 000706515C0D06
login authentication rus

authorization commands 2 rus
  authorization exec rus
!
end

• Federico the privilege commands are very much FAR for me i can't even go to the (#) prompt after appying username and password. Just have a look below.

username:cisco
password:

Class_room_105>en   ????  (this is were i m stuck to give password which password i shld give here if i dont create a enable secret level 2 password)