How can I use effectively the "ENABLE OPTIONS"

Unanswered Question
Aug 19th, 2009
User Badges:

Hi


I am setting up cisco ACS appliance 113 Server (4.0).


GROUPS DEFINED

==============

Group 1 : admincentral

Group 2 : limited admin

Group 3 : education


Network device groups NDGs Defined

==================================

Switch

Router

WLAN



AAA CONFIG IN CLIENT

===================

aaa authentication login CONSOLE group tacacs+ local-case enable


aaa authentication login VTY group tacacs+ local-case enable


aaa authentication login TACACS group tacacs+ enable


aaa authentication enable default enable


aaa authorization exec default group

tacacs+ group tacacs+ if-authenticated


aaa accounting exec default start-stop group tacacs+


tacacs-server host a.b.c.d key xxx

tacacs-server directed-request



ACHIVEMENT SO FAR

=================

Whenver I login to the device, it directly takes me into the privilige

level e.g. level 15 for superuser for example instead of asking for

enable password.


PROBLEM

=======

How can I use effectively the "ENABLE OPTIONS", it has three options

1)No enable privileges

2) Max privilege level for any AAA client

3)Define MAX Privilege on a per NDG basis


But pitty is I am not able to use it effectively, can you help me ???


Currently what I do is , I goto "TACACS+ SETTINGS" section and then CHECK the Shell(exec) and Privilege leve check box with number lets say 15 or 10 or 4.

Believe me nothing works unless I check the PRIVILEGE LEVEL CHECK BOX

and fill the number, whatever level I set there, it becomes applicable

for all the users for all the devices and that is very strange can you

help me ?


Thanks and regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Tue, 08/25/2009 - 13:38
User Badges:
  • Silver, 250 points or more

Perform this procedure to configure group-level TACACS+ enabling parameters. The three possible TACACS+ enable options are:

• No Enable Privilege-(default) Disallows enable privileges for this user group.

• Max Privilege for Any AAA Client-Selects the maximum privilege level for this user group for any AAA client on which this group is authorized.

• Define max Privilege on a per-network device group basis-Defines maximum privilege levels for an NDG. To use this option, you create a list of device groups and corresponding maximum privilege levels. See your AAA client documentation for information about privilege levels.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/g.html#wp540570


Actions

This Discussion