03-21-2008 02:34 AM - edited 03-10-2019 03:44 PM
Hi,
We have a Tacacs server (ACS 3.3) and Cisco 2811 Router (c2800nm-adventerprisek9-mz.124-11.XW2.bin).
Configuring shell command authorization on ACS and works very well.
I try to use different user priviledge level for different local users on the router When Tacacs server failed.
Whenever I loggon to rouer with three different local user accounts with privilege levels. I always get priviledge level 15.
So My user privilege level configuration doesn't work properly When Tacacs is unreachable.
This is my config:
enable secret xxx
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
username admin privilege 15 secret 5
username techinician privilege 3 secret 5
username operator privilege 2 secret 5
privilege interface level 3 shutdown
privilege configure level 3 interface
privilege exec level 3 configure terminal
privilege exec level 3 configure
privilege exec level 3 show running-config
privilege exec all level 3 show
privilege exec level 2 telnet
privilege exec level 2 traceroute
privilege exec level 2 ping
tacacs-server host 172.17.200.18
tacacs-server key xxx
line aux 0
line vty 0 4
transport input ssh
03-21-2008 08:55 AM
Hello,
you have forgotten the "aaa authorization exec" command.
Best Regards
Robert Maras
03-25-2008 01:53 AM
Hi,
Thanks for your help.
we used aaa authorization exec and changed tacacs configuration. This problem solved.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide