Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1430
Views
0
Helpful
4
Replies

Read-Only User for IOS Switch

Go to solution
Rem Markov
Level 1
Level 1

‎08-10-2023 07:09 AM - edited ‎08-10-2023 07:32 AM

Hey !

So I have a router/switch that have TACACS+ configured on it, meaning users can access it from our LDAP, in addition to this we have the local admin user which is also working.

 

How ever when I try to create a user he is unable to log in to the switch/router.
I have found the root problem to be:

aaa authentication login default group tacgui local

aaa authorization config-commands default group tacgui local

aaa authorization commands default group tacgui local

aaa authorization exec default group tacgui local 

 

Now I have found that when wanting to have a local user we need to disable the tacacs+ AAA, but we need it, so.

Is there a way to have tacacs+ and everything as is but also add one local readonly user? (Can be able to run only a few commands).

Also how can I create a user which has only these commands:


telnet
show running-config
show version
show line
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rem Markov
Level 1
Level 1

‎08-13-2023 06:47 AM

Well I found a way to do it with TACACSGUI! 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Flavio Miranda
VIP
VIP

‎08-10-2023 07:27 AM

Hi @Rem Markov 

  You can not have both but what you can do is create users on the TACACS that can only execute a few commands.

 

0 Helpful

Go to solution
Rem Markov
Level 1
Level 1

‎08-10-2023 07:32 AM

But I need only one local user on one router. I have a lot so making a user in TACACS+ means it a user on all of them.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Rem Markov

‎08-10-2023 07:44 AM

 what is possible to do, is invert the order.

 aaa authentication login default local group tacgui

On this case, the device will look locally first and then on the TACACS.

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200606-aaa-authentication-login-default-local.html

But, you are not going to have granularity control on the commands the user will execute.

 

0 Helpful

Go to solution
Rem Markov
Level 1
Level 1

‎08-13-2023 06:47 AM

Well I found a way to do it with TACACSGUI! 

0 Helpful
Top