Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
1
Replies

User unable to issue a sh run command

Go to solution
chaitu_kranthi
Level 1
Level 1

‎07-07-2008 11:05 AM - edited ‎03-10-2019 03:57 PM

Hi,

Recently we have configured a TACACS 4.2 version. and i create readonly profile to one group with privilege level as 5. now users are unable to issue a "sh run" command. except that user are able to run all show commands.

Somebody please help me in this.

If possible somebody please send me the document on different privilege levels and the acceptable command in that levels start from 1 to 15.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-07-2008 12:05 PM

For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-07-2008 12:05 PM

For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents