cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1141
Views
0
Helpful
4
Replies

Read-Only User for IOS Switch

Rem Markov
Level 1
Level 1

Hey !

So I have a router/switch that have TACACS+ configured on it, meaning users can access it from our LDAP, in addition to this we have the local admin user which is also working.

 

How ever when I try to create a user he is unable to log in to the switch/router.
I have found the root problem to be:

aaa authentication login default group tacgui local

aaa authorization config-commands default group tacgui local

aaa authorization commands default group tacgui local

aaa authorization exec default group tacgui local 

 

Now I have found that when wanting to have a local user we need to disable the tacacs+ AAA, but we need it, so.

Is there a way to have tacacs+ and everything as is but also add one local readonly user? (Can be able to run only a few commands).

Also how can I create a user which has only these commands:


telnet
show running-config
show version
show line
1 Accepted Solution

Accepted Solutions

Rem Markov
Level 1
Level 1

Well I found a way to do it with TACACSGUI! 

View solution in original post

4 Replies 4

Hi @Rem Markov 

  You can not have both but what you can do is create users on the TACACS that can only execute a few commands.

 

Rem Markov
Level 1
Level 1

But I need only one local user on one router. I have a lot so making a user in TACACS+ means it a user on all of them.

 what is possible to do, is invert the order.

 aaa authentication login default local group tacgui

On this case, the device will look locally first and then on the TACACS.

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200606-aaa-authentication-login-default-local.html

But, you are not going to have granularity control on the commands the user will execute.

 

Rem Markov
Level 1
Level 1

Well I found a way to do it with TACACSGUI! 

Review Cisco Networking for a $25 gift card