New to TACACS+/Cisco Secure ACS

Unanswered Question
Mar 12th, 2007

I am new to using this product & I have a couple of questions..I have users configured & the groups configured (Admin & ReadOnly)..I'm having difficulty with the syntax on my routers & switches when defining the rights/privileges for the admins & readonly users..Does anyone have a sample config that would help..


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Vivek Santuka Mon, 03/12/2007 - 06:25


Looks like your are trying to configure command authorization ie. control what command which user can execute on the device.

There are two ways to do it :-

1. Define the commands which each privilege level has access to on the device locally

2. Control the commands a group of user can enter on which device via ACS.

Let us know which one you are trying to configure and I will give a sample config.



tsingletary Tue, 03/13/2007 - 11:47

Number #2 sounds more like it..Control what access/commands a group can do

Vivek Santuka Wed, 03/14/2007 - 06:03


For that you need exec authentication and command authorization on the device and shell command authorization set on ACS.

So on the device you would need the following minimum commands :-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization command 1 default group tacacs+ local

aaa authorization command 15 default group tacacs+ local

tacacs-server host key

On the ACS side, the following link will help :-




This Discussion