03-12-2007 06:19 AM - edited 03-10-2019 03:02 PM
I am new to using this product & I have a couple of questions..I have users configured & the groups configured (Admin & ReadOnly)..I'm having difficulty with the syntax on my routers & switches when defining the rights/privileges for the admins & readonly users..Does anyone have a sample config that would help..
thanks,
03-12-2007 06:25 AM
Hi,
Looks like your are trying to configure command authorization ie. control what command which user can execute on the device.
There are two ways to do it :-
1. Define the commands which each privilege level has access to on the device locally
2. Control the commands a group of user can enter on which device via ACS.
Let us know which one you are trying to configure and I will give a sample config.
Regards,
Vivek
03-13-2007 11:47 AM
Number #2 sounds more like it..Control what access/commands a group can do
03-14-2007 06:03 AM
Hi,
For that you need exec authentication and command authorization on the device and shell command authorization set on ACS.
So on the device you would need the following minimum commands :-
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization command 1 default group tacacs+ local
aaa authorization command 15 default group tacacs+ local
tacacs-server host
On the ACS side, the following link will help :-
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697557
Regards,
Vivek
03-15-2007 09:41 AM
That works!
Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide