Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
8
Replies

aaa authorization

mahmoodmkl
Level 7
Level 7

‎05-07-2007 12:50 AM - edited ‎03-05-2019 03:54 PM

Hi Guys

I have doubt regarding this commands.

aaa authorization exec default group tacacs+ if-authenticated

likewise for commands

what exactly does this commands have effect.because when i enter this commands and try to access the switch via telnet and try to execute sh run i get authorization failed message.any help appricaited.

Thanks

Mahmood

Labels:
0 Helpful
8 Replies 8

mrmozaffari
Level 1
Level 1

‎05-07-2007 01:36 AM

Hi Mahmood

When a user wants to login or shell to your router ,router asks for username and password ,since you ve configured tacacs in the configuration your router check the password with a tacacs server ,it seems you did not configure any radius or tacacs server in your router so your router cant find any aaa server.

Did you configure any server in your router or not ,if not you should do password recovery by changing the config register code to 0x2142 from Rommon and if you use a switch the password recovery steps will be differ from routers so let me know what kind of cisco switches do you use if want to recover your switch.

Please do rate helpful comments.

Best Regards B.Mozaffari

0 Helpful

guruprasadr
Level 7
Level 7

‎05-07-2007 01:44 AM

HI, [Pls Rate if Helps U]

[PLs check the Privilege Levels given to the User on the Switch] - Follows in Detail:

You can configure access levels on the routers so the junior administrators do not have complete access to the router. Cisco routers have 16 different privilege levels that you can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can customize levels 2 to 15 to provide monitoring abilities to the secondary administrators. Here is a sample configuration for privilege levels on the router:

RA(config)#privilege exec level 3 ping

RA(config)#privilege exec level 3 traceroute

Command:

--------

aaa authorization exec default group tacacs+ if-authenticated

Explanation:

-------------

exec

Runs authorization to determine if the user is allowed to run an EXEC shell.

default

Uses the listed authorization methods that follow this argument as the default list of methods for authorization

tacacs+

Requests authorization information from the TACACS+ server.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

PLS Rate If Helps ! !

Best Regards,

Guru Prasad R

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to guruprasadr

‎05-07-2007 02:01 AM

Hi Thanks for the reply.

tacacs+ is configured and the aaa server is reachable.i am getting authenticatin from it.

but when i try to run a command i get command autorization failed.As per u r post do mean that if the user gets autenticacted then he should be able to use any commans is that so.

Thanks

Mahmood

0 Helpful

guruprasadr
Level 7
Level 7
In response to mahmoodmkl

‎05-07-2007 04:00 AM

HI, [Pls Rate if Helps U]

See below cmds:

---------------

RA(config)#privilege exec level 3 ping

RA(config)#privilege exec level 3 traceroute

Privilege level 3 is given & that too the user to whom this particular level given is authorised to execute Ping & traceroute cmds.

If you need full access privilege level = 15

Hope this helps U. Pls Rate

Best Regards,

Guru Prasad R

0 Helpful

guruprasadr
Level 7
Level 7
In response to guruprasadr

‎05-07-2007 04:08 AM

HI, [Pls rate if Helps]

http://www.netcraftsmen.net/welcher/papers/priv.htm

This Link will help you more on Privilege levels to the Administrators.

Pls Rate if Helps

Best Regards,

Guru Prasad R

0 Helpful

mohammedmahmoud
Level 11
Level 11

‎05-07-2007 04:20 AM

Hi Mahmood,

If-Authenticated means that the user is allowed to access the requested function provided the user has been authenticated successfully.

Your problem simply means that you have configured the router to use tacacs for authorization but no commands are allowed for this username, try editing your tacacs.

HTH, please rate if it does help,

Mohammed Mahmoud.

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to mohammedmahmoud

‎05-07-2007 08:07 AM

Hi Mahmoud thanks for the reply.

Can u guide me where i can edit these settings in the tacacs server.

Thanks

Mahmood

0 Helpful

mohammedmahmoud
Level 11
Level 11
In response to mahmoodmkl

‎05-07-2007 10:30 AM

Hi Mahmood,

I am not that experienced in tacacs configuration as we have a unix guy here doing this stuff, but it should look something like this, under the user name profile:

cmd = show {

permit ip

permit interface

permit controller

permit atm

permit processes

permit caller

permit users

deny .*

}

HTH, please do rate helpful replies,

Mohammed Mahmoud.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card