Recently we have configured a TACACS 4.2 version. and i create readonly profile to one group with privilege level as 5. now users are unable to issue a "sh run" command. except that user are able to run all show commands.
Somebody please help me in this.
If possible somebody please send me the document on different privilege levels and the acceptable command in that levels start from 1 to 15.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Do rate helpful posts