Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
2
Replies

Local privilege level doesn't work When Tacacs is unreachable

obasli
Level 1
Level 1

‎03-21-2008 02:34 AM - edited ‎03-10-2019 03:44 PM

Hi,

We have a Tacacs server (ACS 3.3) and Cisco 2811 Router (c2800nm-adventerprisek9-mz.124-11.XW2.bin).

Configuring shell command authorization on ACS and works very well.

I try to use different user priviledge level for different local users on the router When Tacacs server failed.

Whenever I loggon to rouer with three different local user accounts with privilege levels. I always get priviledge level 15.

So My user privilege level configuration doesn't work properly When Tacacs is unreachable.

This is my config:

enable secret xxx

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

username admin privilege 15 secret 5

username techinician privilege 3 secret 5

username operator privilege 2 secret 5

privilege interface level 3 shutdown

privilege configure level 3 interface

privilege exec level 3 configure terminal

privilege exec level 3 configure

privilege exec level 3 show running-config

privilege exec all level 3 show

privilege exec level 2 telnet

privilege exec level 2 traceroute

privilege exec level 2 ping

tacacs-server host 172.17.200.18

tacacs-server key xxx

line aux 0

line vty 0 4

transport input ssh

Labels:
0 Helpful
2 Replies 2

maraz
Level 1
Level 1

‎03-21-2008 08:55 AM

Hello,

you have forgotten the "aaa authorization exec" command.

Best Regards

Robert Maras

0 Helpful

obasli
Level 1
Level 1
In response to maraz

‎03-25-2008 01:53 AM

Hi,

Thanks for your help.

we used aaa authorization exec and changed tacacs configuration. This problem solved.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents