04-24-2001 07:05 PM - edited 03-08-2019 08:10 PM
How do you configure the authorization levels in Cisco Secure for TACACS+ so that certain users can access certain commands on a device?
04-26-2001 10:50 AM
As shown below I moved commands "clear" and "clear line"
to privilege level 2. Usually You must in enable mode (priv 15) beeing able
to execute command "clear line".
Thereafter you assign shell:priv-lvl=2 to your user or group profile in
Cisco Secure. Make sure that "shell privileges" are enabled for this user
and your NAS checks authorization via TACACS+, too.
aaa new-model
aaa authen login login_check gr tac
aaa author exec exec_check gr tac
privilege exec level 2 clear line
privilege exec level 2 clear
tacacs-server host 1.2.3.4
tac key goodluck
line vty 0 4
login authen login_check
author exec exec_check
10-05-2001 10:36 AM
Is that the only way to do this, provide various priviledge levels on each device? In the Group Manager it has an area where you can permit/deny commands and arguments, but I've yet to figure out how to get the NAS to authorize on this feature.
10-20-2001 01:19 PM
example permit command "show running-config"
configure at the router
aaa author commands 0 telnet_check gr tacacs+
aaa author commands 1 telnet_check gr tacacs+
aaa author commands 15 telnet_check gr tacacs+
aaa author exec telnet_check gr tacacas+
aaa authen login telnet_check gr tacacs+
.. to define the order of author medhods
line vty 0 4
login authen telnet_check
author exec telnet_check
author comm 0 telnet_check
author comm 1 telnet_check
author comm 15 telnet_check
... to define the interface
configure the user at ciscosecure
enable "shell"
enable "priv"
configure level 15 for priv
... user has priv 15 permissions after logging on (priviledged mode)
ios commands:
general:
radio button: deny all other commands (like debug config, etc)
subfolder:
cmd= show
cmd-arg=permit running-config
radio button: deny all other commands (for show)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide