cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
1
Replies

shell & enable on ACS 4.0

cassinhee
Level 1
Level 1

I am puaaed about shell and enable and the acordingly configuration on the client.

1)If I check shell under user group on ACS, I configured

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

2) If I also check enable on ACS and configure aaa authentication enable default group tacacs local

can I just use one of the two options or use them together?

Thanks!

1 Accepted Solution

Accepted Solutions

a.kiprawih
Level 7
Level 7

You can use them together:

1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd

You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).

But it's better to use TACACS+ for more control/centralized.

2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed

aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.

You can combine this with#1.

HTH

AK

View solution in original post

1 Reply 1

a.kiprawih
Level 7
Level 7

You can use them together:

1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd

You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).

But it's better to use TACACS+ for more control/centralized.

2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed

aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.

You can combine this with#1.

HTH

AK