05-07-2007 12:50 AM - edited 03-05-2019 03:54 PM
Hi Guys
I have doubt regarding this commands.
aaa authorization exec default group tacacs+ if-authenticated
likewise for commands
what exactly does this commands have effect.because when i enter this commands and try to access the switch via telnet and try to execute sh run i get authorization failed message.any help appricaited.
Thanks
Mahmood
05-07-2007 01:36 AM
Hi Mahmood
When a user wants to login or shell to your router ,router asks for username and password ,since you ve configured tacacs in the configuration your router check the password with a tacacs server ,it seems you did not configure any radius or tacacs server in your router so your router cant find any aaa server.
Did you configure any server in your router or not ,if not you should do password recovery by changing the config register code to 0x2142 from Rommon and if you use a switch the password recovery steps will be differ from routers so let me know what kind of cisco switches do you use if want to recover your switch.
Please do rate helpful comments.
Best Regards B.Mozaffari
05-07-2007 01:44 AM
HI, [Pls Rate if Helps U]
[PLs check the Privilege Levels given to the User on the Switch] - Follows in Detail:
You can configure access levels on the routers so the junior administrators do not have complete access to the router. Cisco routers have 16 different privilege levels that you can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can customize levels 2 to 15 to provide monitoring abilities to the secondary administrators. Here is a sample configuration for privilege levels on the router:
RA(config)#privilege exec level 3 ping
RA(config)#privilege exec level 3 traceroute
Command:
--------
aaa authorization exec default group tacacs+ if-authenticated
Explanation:
-------------
exec
Runs authorization to determine if the user is allowed to run an EXEC shell.
default
Uses the listed authorization methods that follow this argument as the default list of methods for authorization
tacacs+
Requests authorization information from the TACACS+ server.
if-authenticated
Allows the user to access the requested function if the user is authenticated.
PLS Rate If Helps ! !
Best Regards,
Guru Prasad R
05-07-2007 02:01 AM
Hi Thanks for the reply.
tacacs+ is configured and the aaa server is reachable.i am getting authenticatin from it.
but when i try to run a command i get command autorization failed.As per u r post do mean that if the user gets autenticacted then he should be able to use any commans is that so.
Thanks
Mahmood
05-07-2007 04:00 AM
HI, [Pls Rate if Helps U]
See below cmds:
---------------
RA(config)#privilege exec level 3 ping
RA(config)#privilege exec level 3 traceroute
Privilege level 3 is given & that too the user to whom this particular level given is authorised to execute Ping & traceroute cmds.
If you need full access privilege level = 15
Hope this helps U. Pls Rate
Best Regards,
Guru Prasad R
05-07-2007 04:08 AM
HI, [Pls rate if Helps]
http://www.netcraftsmen.net/welcher/papers/priv.htm
This Link will help you more on Privilege levels to the Administrators.
Pls Rate if Helps
Best Regards,
Guru Prasad R
05-07-2007 04:20 AM
Hi Mahmood,
If-Authenticated means that the user is allowed to access the requested function provided the user has been authenticated successfully.
Your problem simply means that you have configured the router to use tacacs for authorization but no commands are allowed for this username, try editing your tacacs.
HTH, please rate if it does help,
Mohammed Mahmoud.
05-07-2007 08:07 AM
Hi Mahmoud thanks for the reply.
Can u guide me where i can edit these settings in the tacacs server.
Thanks
Mahmood
05-07-2007 10:30 AM
Hi Mahmood,
I am not that experienced in tacacs configuration as we have a unix guy here doing this stuff, but it should look something like this, under the user name profile:
cmd = show {
permit ip
permit interface
permit controller
permit atm
permit processes
permit caller
permit users
deny .*
}
HTH, please do rate helpful replies,
Mohammed Mahmoud.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide