So I have a router/switch that have TACACS+ configured on it, meaning users can access it from our LDAP, in addition to this we have the local admin user which is also working.
How ever when I try to create a user he is unable to log in to the switch/router.
I have found the root problem to be:
aaa authentication login default group tacgui local
aaa authorization config-commands default group tacgui local
aaa authorization commands default group tacgui local
aaa authorization exec default group tacgui local
Now I have found that when wanting to have a local user we need to disable the tacacs+ AAA, but we need it, so.
Is there a way to have tacacs+ and everything as is but also add one local readonly user? (Can be able to run only a few commands).
Also how can I create a user which has only these commands:
Solved! Go to Solution.
what is possible to do, is invert the order.
aaa authentication login default local group tacgui
On this case, the device will look locally first and then on the TACACS.
But, you are not going to have granularity control on the commands the user will execute.