I assign a CLI user the default und maximum priviledge level 15, so thae he skips the enable password command. The login has been done via VTY.
But when he became a level 15 user, can I restrict the executable commands via authorization?
I'm unsing Tacacs+
username USERNAME secret PASSWORD
enable secret ENABLE
aaa group server tacacs+ ACS
server-private host 184.108.40.206 key tacacskey
server-private host 220.127.116.11 key tacacskey
aaa authentication login CONSOLE group ACS local
aaa authentication login VTY group ACS local
aaa authentication enable default group ACS enable
aaa authorization exec VTY group ACS local-case
aaa authorization command 0 VTY group ACS local
aaa authorization command 1 VTY group ACS local
aaa authorization command 15 VTY group ACS local
line con 0
login authentication CONSOLE
line vty 0 4
login authentication VTY
authorization command 0 VTY
authorization command 1 VTY
authorization command 15 VTY
A level 15 user has full privileges. You need to create an intermediate level (something between 1 and 15) and assign the user to that level if you want to only allow select group of commands via authorization.
Thanks for the answer, that's the same I had im my mind....Is there any other way to skip the enable prompt, when I use tacacs+ and to restrict commands ?
Well any commands beyond the few available in user mode require enable mode. Enable mode doesn't need to be level 15 enable mode however. If the user is assigned privilege level <15, they will only be able to enter commands assigned to their level.
I've added the following commands to the configuration
aaa authorization exec VTY group IAG-ACS local
line vty 0 15
authorization exec VTY
Now I can create command sets an restirct the execution on switches and routers.