09-11-2018 08:53 AM
Hello,
I would like to create a rule to allow a users access to a switch and do the following commands:
show run
show int status
conf ter
interface giX/X/XX
switchport access vlan XXX
wr
Just this.
I tried the following:
Create a group with privilege 10 and with command sets allow these specific commands but doesn't work. After login I'm able to do 'sh int status' but not able to type 'sh run' and also not abel to 'conf ter'.
There is any ideais how should I solve this issue?
Thank you
Solved! Go to Solution.
09-11-2018 09:19 AM
Ditch the privilege level idea. That is an archaic control that goes away once you start doing command authorization. Enable command authorization for level 15 commands and enabled config-command authorization:
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
Then in your command set profile allow:
show
configure terminal
interface gi*
switchport access vlan*
end
You might need to play with that a bit, but use the TACACS live logs to see what commands are being sent for approval and modify as needed.
09-11-2018 09:19 AM
Ditch the privilege level idea. That is an archaic control that goes away once you start doing command authorization. Enable command authorization for level 15 commands and enabled config-command authorization:
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
Then in your command set profile allow:
show
configure terminal
interface gi*
switchport access vlan*
end
You might need to play with that a bit, but use the TACACS live logs to see what commands are being sent for approval and modify as needed.
09-12-2018 02:06 AM
Hello,
It works!
Thanks a lot!
Best Regards
09-12-2018 01:53 PM
Thanks Paul.
-Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide