TACACS Authorization in exec mode

Unanswered Question
Sep 22nd, 2009
User Badges:

Hi !

I try to limit available command in user mode.... it does'nt work...

Exemple I had permit show command for user DSC in my ACS shared profile.

When user DSC telnet my router the authentication is validate by the same ACS. On the prompt > the DSC user is able to use all command available in that mode... all show command, ping command, etc... in the same session when I'm going in privillege mode only show command are permit. Is it possible to limit also user mode ?

Thanks a lot !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Tue, 09/22/2009 - 09:55
User Badges:
  • Red, 2250 points or more


You need this command on the IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

See the attachment that explains how to set up shell command set.

Note: Giving privilege 15 does not mean that user will be able to execute all commands. Command authorization works over priv level.


For user mode restriction you need this command

aaa authorization commands 0 default group tacacs+ if-authenticated

If you want do not want user to fall directly to enable mode, please uncheck priv 15 in step 4.



Do rate helpful posts



This Discussion