11-15-2021 09:31 AM - edited 11-15-2021 09:32 AM
Hello everyone,
I would like to use TACACS command authorization to allow our help desk personal to run specific show commands so that they are better able to support the network without having to always contact the network team with basic inquiries.
Currently, I have TACACS command authorization working for the help desk team and the network admin team. The Help Desk team is only allowed to run a few show commands while the network admin team is able to run any command.
Now the issue is that when we run scripts or input a large configuration into the switches using the network admin group the scripts take away too long to finish.
So basically I want to disable TACACS command authorization for only the network admin group, while still keeping it enable for the help desk group. When you think about it the network admin group is allowed to run all commands, so having TACACS command authorization enabled for this group does not provide any additional value.
NOTE: I would still want to keep accounting working for all commands input into the switches.
Is there any way to get this done?
Thank you in advance for your assistance.
11-23-2021 07:56 PM
Hello @BenLora79498
Does your IOS config contain a aaa authorization for specific "Enable levels"?
Device(config)#aaa authorization commands 1 default group MyTacacsGroup local
Device(config)#aaa authorization commands 15 default group MyTacacsGroup local
If so, then you should be able to switch off the aaa authorization by replacing the PrivLevel 15 admins with this
Device(config)#aaa authorization commands 15 default if-authenticated
My examples use the "default" method list so beware if you're using more specific method lists (check your vty section)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide