06-05-2018 12:05 PM - edited 02-21-2020 10:57 AM
Hi Everyone,
We have a subset of our infrastructure that uses shell profiles and command sets with ACS 5.x to authorize CLI users for different roles. The way it works is that the user logs in with their AD credentials, and then when they type 'enable' they enter their AD password again to gain access to the privileged exec.
I'm attempting to assist another coworker to set this up for a different set of infrastructure, but I cannot for the life of me find the setting in ACS that forces it to work this way. Our IOS configuration is as follows:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
aaa accounting commands 15 default start-stop group tacacs+
Can anyone assist? Is it just the "aaa authorization commands <number> default group..." commands that configure it to work this way, or is there a setting in ACS itself?
Thanks in advance,
Solved! Go to Solution.
06-05-2018 06:02 PM
06-05-2018 06:02 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide