Different levels of TACACS+ Authorization for different devices

Unanswered Question
Feb 26th, 2008
User Badges:

We currently are using Cisco ACS 4.1 and have TACACS+ configured on all devices (Pix, Routers, Switches) so that they let us in with Enable access. We need to add additional users but limit their access. I'm trying to figure out a way to allow certain users to have enable access (15) to our layer 2 devices but only terminal access (1) to our layer 3 devices. I've broken out the equipment into seperate NDG's and now I'm trying to configure the Group settings to make this work. I have configured the Shell Command Authorization settings to allow for this by assigning level 1 to layer3 devices and 15 to layer 2 devices. When I try and connect to any of the devices it only gives me level1 access. The logs show that it's hitting the proper NDG's but it's only showing level1 access. Why am I not getting level15 access when I hit my layer 2 devices? Is there something I'm missing?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Thu, 02/28/2008 - 10:55
User Badges:
  • Red, 2250 points or more

Best way here is to give all user priv 15 access and then implement command author set. Giving priv 15 does not mean that user will be able to execute all commands.

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

One you have priv 15, deploy command author set.

IOS commands needed.

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

See this link,


Hope that helps



Do rate helpful posts


This Discussion