cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
7
Helpful
2
Replies

Help needed on command authorization set

manishn
Level 1
Level 1

Dear Sir,

on my ACS v 3.2 windows server, I have configured group A and created one user in it as B, I want this user B to have helpdesk profile i.e. he should only access show commands but it is strange to discover when B type enable he moves in to enable mode (it ask for enable password), I want to restrict B from using enable command, pls.find below mentioned my router client aaa config:-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login enable group tacacs+ enable

aaa authentication ppp default local group radius

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa session-id common

Kindly suggest client and server config to accomplish the needful task.

2 Replies 2

vasthorvak
Level 1
Level 1

Thats because this is not done at from router level. Such as above your configuration above says to use a tacacs server and if it fails then authenticate and authorize local. So as long as the router can access the tacacs server it will pass it off to the tacacs server for it make that decision and from there pass it back to the router. In other words make your access authorization settings on the ACS server not the router. The router is set up fine as long as you have the tacacs-server command in there specifing what server to use with a key.