Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
1
Replies

Different levels of TACACS+ Authorization for different devices

biwoodwoodyak
Level 1
Level 1

‎02-26-2008 08:40 AM - edited ‎03-10-2019 03:40 PM

We currently are using Cisco ACS 4.1 and have TACACS+ configured on all devices (Pix, Routers, Switches) so that they let us in with Enable access. We need to add additional users but limit their access. I'm trying to figure out a way to allow certain users to have enable access (15) to our layer 2 devices but only terminal access (1) to our layer 3 devices. I've broken out the equipment into seperate NDG's and now I'm trying to configure the Group settings to make this work. I have configured the Shell Command Authorization settings to allow for this by assigning level 1 to layer3 devices and 15 to layer 2 devices. When I try and connect to any of the devices it only gives me level1 access. The logs show that it's hitting the proper NDG's but it's only showing level1 access. Why am I not getting level15 access when I hit my layer 2 devices? Is there something I'm missing?

Labels:
0 Helpful
1 Reply 1

Jagdeep Gambhir
Level 10
Level 10

‎02-28-2008 10:55 AM

Best way here is to give all user priv 15 access and then implement command author set. Giving priv 15 does not mean that user will be able to execute all commands.

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

One you have priv 15, deploy command author set.

IOS commands needed.

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

See this link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Hope that helps

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents