Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
1
Replies

Authorization Issue

Go to solution
chuck.gilkes
Level 1
Level 1

‎04-29-2008 06:14 AM - edited ‎03-10-2019 03:48 PM

I've been trying to set up a read-only group that allows certain users to login at privilege level3 and issue several commands, i.e.; show run. The user group in the ACS is correct and here are the configure lines in the device:

aaa authorization config-commands

aaa authorization exec default group tacacs+ local none

aaa authorization commands 1 default group tacacs+ local if-authenticated

aaa authorization commands 3 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

When a user with level priv 15 logs in authorization works fine. The debug messages show authorization requests going to the ACS and the appropriate responses are returned. However, when a level 3 users logs in, authorization for those commands that user has access to, show run fails. I noted that the device did not send any request to ACS.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-29-2008 06:19 AM

Chuck,

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Have priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-29-2008 06:19 AM

Chuck,

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Have priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents