Local privilege level doesn't work When Tacacs is unreachable

obasli · ‎03-21-2008

Hi,

We have a Tacacs server (ACS 3.3) and Cisco 2811 Router (c2800nm-adventerprisek9-mz.124-11.XW2.bin).

Configuring shell command authorization on ACS and works very well.

I try to use different user priviledge level for different local users on the router When Tacacs server failed.

Whenever I loggon to rouer with three different local user accounts with privilege levels. I always get priviledge level 15.

So My user privilege level configuration doesn't work properly When Tacacs is unreachable.

This is my config:

enable secret xxx

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

username admin privilege 15 secret 5

username techinician privilege 3 secret 5

username operator privilege 2 secret 5

privilege interface level 3 shutdown

privilege configure level 3 interface

privilege exec level 3 configure terminal

privilege exec level 3 configure

privilege exec level 3 show running-config

privilege exec all level 3 show

privilege exec level 2 telnet

privilege exec level 2 traceroute

privilege exec level 2 ping

tacacs-server host 172.17.200.18

tacacs-server key xxx

line aux 0

line vty 0 4

transport input ssh

maraz · ‎03-21-2008

Hello,

you have forgotten the "aaa authorization exec" command.

Best Regards

Robert Maras

obasli · ‎03-25-2008

Hi,

Thanks for your help.

we used aaa authorization exec and changed tacacs configuration. This problem solved.

Thanks