New to TACACS+/Cisco Secure ACS

Unanswered Question
Mar 12th, 2007
User Badges:

I am new to using this product & I have a couple of questions..I have users configured & the groups configured (Admin & ReadOnly)..I'm having difficulty with the syntax on my routers & switches when defining the rights/privileges for the admins & readonly users..Does anyone have a sample config that would help..


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Vivek Santuka Mon, 03/12/2007 - 06:25
User Badges:
  • Cisco Employee,


Looks like your are trying to configure command authorization ie. control what command which user can execute on the device.

There are two ways to do it :-

1. Define the commands which each privilege level has access to on the device locally

2. Control the commands a group of user can enter on which device via ACS.

Let us know which one you are trying to configure and I will give a sample config.



tsingletary Tue, 03/13/2007 - 11:47
User Badges:

Number #2 sounds more like it..Control what access/commands a group can do

Vivek Santuka Wed, 03/14/2007 - 06:03
User Badges:
  • Cisco Employee,


For that you need exec authentication and command authorization on the device and shell command authorization set on ACS.

So on the device you would need the following minimum commands :-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization command 1 default group tacacs+ local

aaa authorization command 15 default group tacacs+ local

tacacs-server host key

On the ACS side, the following link will help :-




This Discussion