03-21-2008 02:34 AM - edited 03-10-2019 03:44 PM
Hi,
We have a Tacacs server (ACS 3.3) and Cisco 2811 Router (c2800nm-adventerprisek9-mz.124-11.XW2.bin).
Configuring shell command authorization on ACS and works very well.
I try to use different user priviledge level for different local users on the router When Tacacs server failed.
Whenever I loggon to rouer with three different local user accounts with privilege levels. I always get priviledge level 15.
So My user privilege level configuration doesn't work properly When Tacacs is unreachable.
This is my config:
enable secret xxx
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
username admin privilege 15 secret 5
username techinician privilege 3 secret 5
username operator privilege 2 secret 5
privilege interface level 3 shutdown
privilege configure level 3 interface
privilege exec level 3 configure terminal
privilege exec level 3 configure
privilege exec level 3 show running-config
privilege exec all level 3 show
privilege exec level 2 telnet
privilege exec level 2 traceroute
privilege exec level 2 ping
tacacs-server host 172.17.200.18
tacacs-server key xxx
line aux 0
line vty 0 4
transport input ssh
03-21-2008 08:55 AM
Hello,
you have forgotten the "aaa authorization exec" command.
Best Regards
Robert Maras
03-25-2008 01:53 AM
Hi,
Thanks for your help.
we used aaa authorization exec and changed tacacs configuration. This problem solved.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: