11-14-2006 06:42 PM - edited 03-10-2019 02:50 PM
I am puaaed about shell and enable and the acordingly configuration on the client.
1)If I check shell under user group on ACS, I configured
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
2) If I also check enable on ACS and configure aaa authentication enable default group tacacs local
can I just use one of the two options or use them together?
Thanks!
Solved! Go to Solution.
11-15-2006 04:17 AM
You can use them together:
1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd
You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).
But it's better to use TACACS+ for more control/centralized.
2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed
aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.
You can combine this with#1.
HTH
AK
11-15-2006 04:17 AM
You can use them together:
1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd
You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).
But it's better to use TACACS+ for more control/centralized.
2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed
aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.
You can combine this with#1.
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide