cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
0
Helpful
1
Replies

TACACS default priv exec level

valentinop
Beginner
Beginner

Hello,

I'm testing the new ACS 4.0 for some feature like .1x.

For the authentication I use a linux box with tacacs+ and all works fine.

I try the tacacs coming from ACS but I don't understand why my account don't go to # lvl 15 priv but I need to insert the enable command.

On ACS my account is lvl 15 and this is my configuration on the test switch:

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default wait-start group tacacs+

aaa accounting system default wait-start group tacacs+

Could some one help me?

thanks you,

valentino

1 Reply 1

annnguy
Beginner
Beginner

You'll need to ensure that the tacacs server is actually passing back the privilege level for Shell Exec. Make sure that your privilege configuration is for the TACACS+ Settings > Shell (exec) settings, not the max enable privilege.

You can also verify whether or not ACS is actually sending the privilege for shell exec if you turn on "debug tacacs". It should look something like...

Jul 28 09:25:02.157: TPLUS: Sending AV service=shell

Jul 28 09:25:02.157: TPLUS: Sending AV cmd*

Jul 28 09:25:02.157: TPLUS: Authorization request created for 4(annie)

Jul 28 09:25:02.157: TPLUS: using previously set server 172.16.242.222 from group tacacs+

.....

Jul 28 09:25:02.173: TPLUS(00000004)/0/8370E638: Processing the reply packet

Jul 28 09:25:02.173: TPLUS: Processed AV priv-lvl=15

Jul 28 09:25:02.173: TPLUS: received authorization response for 4: PASS

Sincerely,

Annie

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers