Local privilege level doesn't work When Tacacs is unreachable

Unanswered Question
Mar 21st, 2008
User Badges:


We have a Tacacs server (ACS 3.3) and Cisco 2811 Router (c2800nm-adventerprisek9-mz.124-11.XW2.bin).

Configuring shell command authorization on ACS and works very well.

I try to use different user priviledge level for different local users on the router When Tacacs server failed.

Whenever I loggon to rouer with three different local user accounts with privilege levels. I always get priviledge level 15.

So My user privilege level configuration doesn't work properly When Tacacs is unreachable.

This is my config:

enable secret xxx

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

username admin privilege 15 secret 5

username techinician privilege 3 secret 5

username operator privilege 2 secret 5

privilege interface level 3 shutdown

privilege configure level 3 interface

privilege exec level 3 configure terminal

privilege exec level 3 configure

privilege exec level 3 show running-config

privilege exec all level 3 show

privilege exec level 2 telnet

privilege exec level 2 traceroute

privilege exec level 2 ping

tacacs-server host

tacacs-server key xxx

line aux 0

line vty 0 4

transport input ssh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
maraz Fri, 03/21/2008 - 08:55
User Badges:


you have forgotten the "aaa authorization exec" command.

Best Regards

Robert Maras

obasli Tue, 03/25/2008 - 01:53
User Badges:


Thanks for your help.

we used aaa authorization exec and changed tacacs configuration. This problem solved.



This Discussion