08-10-2023 07:09 AM - edited 08-10-2023 07:32 AM
Hey !
So I have a router/switch that have TACACS+ configured on it, meaning users can access it from our LDAP, in addition to this we have the local admin user which is also working.
How ever when I try to create a user he is unable to log in to the switch/router.
I have found the root problem to be:
aaa authentication login default group tacgui local
aaa authorization config-commands default group tacgui local
aaa authorization commands default group tacgui local
aaa authorization exec default group tacgui local
Now I have found that when wanting to have a local user we need to disable the tacacs+ AAA, but we need it, so.
Is there a way to have tacacs+ and everything as is but also add one local readonly user? (Can be able to run only a few commands).
Also how can I create a user which has only these commands:
telnet
show running-config
show version
show line
Solved! Go to Solution.
08-13-2023 06:47 AM
Well I found a way to do it with TACACSGUI!
08-10-2023 07:27 AM
Hi @Rem Markov
You can not have both but what you can do is create users on the TACACS that can only execute a few commands.
08-10-2023 07:32 AM
But I need only one local user on one router. I have a lot so making a user in TACACS+ means it a user on all of them.
08-10-2023 07:44 AM
what is possible to do, is invert the order.
aaa authentication login default local group tacgui
On this case, the device will look locally first and then on the TACACS.
But, you are not going to have granularity control on the commands the user will execute.
08-13-2023 06:47 AM
Well I found a way to do it with TACACSGUI!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide