Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
4
Replies

tacacs problem with catOS switches

trackme
Level 1
Level 1

‎02-01-2006 10:07 PM - edited ‎03-10-2019 02:27 PM

hello,

i have a issue where the same command which is denied in IOS switches is allowed in catOS switches. No idea why it happens since my TACACS server(free tacacs server from cisco) denies the sh conf or sh run command for a particular user

when a user logs into a ios switch and issue a sh run ,it says command authorisation failed since i denied that user from issuing that sh conf or sh run command.

But the same command sh conf or sh run works on the catos switch. both my CATOS and IOS switches points to the same tacacs server and i have no clue how it works with catos since i denied that command.

Also strange since the same command gets denied in IOS(the way i want) but works with catOS.

Every other thing with my tacacs works fine for both IOS and CATOS except for this strange thing.

I really dont want the user to run a sh conf command in CATOS switch. what should i do fix this and why this works like this.

I tried rearranging the commands like CATOS commands first and then IOS ,but no luck :(

does any one had the same issue before.

Labels:
0 Helpful
4 Replies 4

trackme
Level 1
Level 1

‎02-02-2006 08:42 PM

any updates for me :(

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎02-03-2006 11:38 AM

It sounds to me like you have configured your IOS boxes with authentication and with authorization and that perhaps you have configured your catOS boxes with authentication but not authorization. If you would post the configuration of one of them we would be able to see more clearly what is going on and perhaps could then give you better advice.

HTH

Rick

HTH

Rick
0 Helpful

trackme
Level 1
Level 1
In response to Richard Burts

‎02-05-2006 09:27 PM

hello,

I have enabled authorisation in catos switches as well. it works very well with authorisation since a person cant do any thing other than changing the port. if he tries to change the tacacs paramaters it will show command authorisation failed.

so that means (atlast as far as i know) the authorisation command works since the user cant change any thing except what i allowed in my tacacs and both the IOS and CATOS point to the same tacacs server. i have another group which has full access in the CATOS and that works the way i want. the only issue is with this user group which allows them to run a sh conf or sh run command in the catos switches

0 Helpful

srego4
Level 2
Level 2
In response to trackme

‎02-17-2006 08:04 AM

HI trackme,

Would love to see ure config for both IOS and catos as I am trying to do the same but have not succeeded.

One thing I am doing tho, is I have multiple NDG's. I have two user groups. Grp A has access to all. Grp B shd. have "all" access to only some NDG's but restricted access to other NDG's. I have also enabled direct access to the priv mode .. so that everyone has to log in only once to get to enable.

So my question is how can I get grp B to have "one stop" login to priv. mode for some NDG's and not to others?

sorry for no help to u ...

0 Helpful
Customers Also Viewed These Support Documents