05-29-2012 03:54 AM - edited 03-10-2019 07:08 PM
Hi
I am having a ASR 1002 V 12.2(33)XND2twhich is running on Tacas
I want when i login it shoudl directly go into the # prompt. I am not interested in typing enable on > prompt.
The configs are
aa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default none
!aaa authorization console
!aaa authorization config-commands
!aaa authorization template
!aaa authorization exec default group tacacs+ local
!aaa authorization commands 15 default local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
tacacs-server host XXXXX
tacacs-server host XXXXX
no tacacs-server directed-request
05-29-2012 06:58 AM
Assuming Cisco ACS v5.x:
Create a new Shell Profile:
Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Click the Create button at the bottom of the page.
On the General tab, give the profile a name, then go to the Common Tasks tab.
Under Privilege Level, set both the Default Privilege and the Maximum Privilege to 15.
Click the Submit button at the bottom of the page.
Create a new Command Set:
Policy Elements > Authorization and Permissions > Device Administration > Command Sets
Click the Create button at the bottom of the page.
Check the box next to "Permit any command that is not in the table below"
Click the Submit button at the bottom of the page.
Create a new Authorization policy:
Access Policies > Access Services > Default Device Admin > Authorization
Click the Create button at the bottom of the page.
Under Results:
Set the Shell Profile to the one you just created
Set the Command Sets to the one you just created
Click the OK button at the bottom of the window.
Click the Save Changes button at the bottom of the page.
I hope this helps,
--Chris
05-29-2012 07:02 AM
Hi Chris dont have access via web. Can you suggest the CLI commands..
As per my understanding We are already haveing aaa accounting commands 15 default start-stop group tacacs+
05-29-2012 07:41 AM
aaa accounting only has to do with logging the commands, not whether the commands are authorized.
You generally also want your authentication and authorization to come from the same place, such as the ACS only.
Your config:
aaa new-model
aaa authentication login default group tacacs+ local <--Check TACACS+ to validate users and assign priv level when logging in
aaa authentication enable default none
!aaa authorization console
!aaa authorization config-commands
!aaa authorization template
!aaa authorization exec default group tacacs+ local
!aaa authorization commands 15 default local none <--Check local device for command authorization
aaa accounting exec default start-stop group tacacs+ <----------------\
aaa accounting commands 15 default start-stop group tacacs+ <----\ Accounting commands log everything to ACS
aaa accounting connection default start-stop group tacacs+ <---------/
aaa accounting system default start-stop group tacacs+ <-------------/
aaa session-id common
When a user logs into your device, TACACS+ validates that the user has an account, AND assigns the initial privilege level. You would need to configure a privilege level of 15 on the ACS to be able to skip directly to the privileged exec mode (# prompt).
Once that is done, you would also want to change your command authorizations to come from the ACS instead of the local device:
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local if-authenticated
I hope this helps.
--Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide