cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
960
Views
5
Helpful
4
Replies
Highlighted
Beginner

ACS 5.X restrict Level 15 Users

Hello,

I assign a CLI user the default und maximum priviledge level 15, so thae he skips the enable password command. The login has been done via VTY.

But when he became a level 15 user, can I restrict the executable commands via authorization?

I'm unsing Tacacs+

Configuration sample:

username USERNAME secret PASSWORD

!

enable secret ENABLE

!

aaa new-model

!

aaa group server tacacs+ ACS

server-private host 1.1.1.1 key tacacskey

server-private host 2.2.2.2 key tacacskey

exit

!

aaa authentication login CONSOLE group ACS local

aaa authentication login VTY group ACS local

aaa authentication enable default group ACS enable

!

aaa authorization exec VTY group ACS local-case

aaa authorization command 0 VTY group ACS local

aaa authorization command 1 VTY group ACS local

aaa authorization command 15 VTY group ACS local

!

line con 0

login authentication CONSOLE

exit

!

line vty 0 4

login authentication VTY

!

authorization command 0 VTY

authorization command 1 VTY

authorization command 15 VTY

exit

4 REPLIES 4
Highlighted
Hall of Fame Guru

A level 15 user has full privileges. You need to create an intermediate level (something between 1 and 15) and assign the user to that level if you want to only allow select group of commands via authorization.

Highlighted

Thanks for the answer, that's the same I had im my mind....Is there any other way to skip the enable prompt, when I use tacacs+ and to restrict commands ?

Highlighted

Well any commands beyond the few available in user mode require enable mode. Enable mode doesn't need to be level 15 enable mode however. If the user is assigned privilege level <15, they will only be able to enter commands assigned to their level.

Highlighted

Hello,

I've added the following commands to the configuration

aaa authorization exec VTY group IAG-ACS local

line vty 0 15

authorization exec VTY

exit

Now I can create command sets an restirct the execution on switches and routers.

Content for Community-Ad