Re: Help needed on command authorization set

manishn · ‎07-13-2005

Dear Sir,

on my ACS v 3.2 windows server, I have configured group A and created one user in it as B, I want this user B to have helpdesk profile i.e. he should only access show commands but it is strange to discover when B type enable he moves in to enable mode (it ask for enable password), I want to restrict B from using enable command, pls.find below mentioned my router client aaa config:-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login enable group tacacs+ enable

aaa authentication ppp default local group radius

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa session-id common

Kindly suggest client and server config to accomplish the needful task.

pradeepde · ‎07-20-2005

You could refer to : http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html for the authorization commands.

vasthorvak · ‎07-20-2005

Thats because this is not done at from router level. Such as above your configuration above says to use a tacacs server and if it fails then authenticate and authorize local. So as long as the router can access the tacacs server it will pass it off to the tacacs server for it make that decision and from there pass it back to the router. In other words make your access authorization settings on the ACS server not the router. The router is set up fine as long as you have the tacacs-server command in there specifing what server to use with a key.