03-12-2007 06:19 AM - edited 03-10-2019 03:02 PM
I am new to using this product & I have a couple of questions..I have users configured & the groups configured (Admin & ReadOnly)..I'm having difficulty with the syntax on my routers & switches when defining the rights/privileges for the admins & readonly users..Does anyone have a sample config that would help..
thanks,
03-12-2007 06:25 AM
Hi,
Looks like your are trying to configure command authorization ie. control what command which user can execute on the device.
There are two ways to do it :-
1. Define the commands which each privilege level has access to on the device locally
2. Control the commands a group of user can enter on which device via ACS.
Let us know which one you are trying to configure and I will give a sample config.
Regards,
Vivek
03-13-2007 11:47 AM
Number #2 sounds more like it..Control what access/commands a group can do
03-14-2007 06:03 AM
Hi,
For that you need exec authentication and command authorization on the device and shell command authorization set on ACS.
So on the device you would need the following minimum commands :-
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization command 1 default group tacacs+ local
aaa authorization command 15 default group tacacs+ local
tacacs-server host
On the ACS side, the following link will help :-
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697557
Regards,
Vivek
03-15-2007 09:41 AM
That works!
Thanks for your help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: