TACACS Command authorization

Unanswered Question
Nov 24th, 2009
User Badges:


I'm trying to implement TACACS command authorization so that I can implement different levels of access to a firewall (admin, read-only and monitor). The reason is because I need to allow access for our NOC team to view the configuration without changing anything and for some users allow them to monitor the firewall.

I have used a configuration in the lab with the following version and it is working fine.

Cisco Adaptive Security Appliance Software Version 8.0(4)28
Device Manager Version 6.0(2)

So then I decided to start implementing the same configuration on the customer firewalls and on the first one I tried it, it was not working the same way allowing users with privilege level 5 to login to ASDM and change whatever they wanted. After a lot of troubleshooting I saw that the only difference was the ASDM version (asdm-613.bin). When I copied version 6.0(2) the configuration started to work again and the users with priv-level 5 were no longer able to change the configuration.

It worries me that different versions behave completely different so I would like to understand what should I expect and if there is any error in my configuration that would provoke this.

I am using Tacacs tac_plus version F4.0.4.19.


group = noc {
    default service = permit
    enable = cleartext "mypassword"
    login = cleartext "mypassword"
    service = exec {
     "priv-lvl" = 5

    cmd = show {
      permit .*

    cmd = exit {
     permit .*

    cmd = configure {
     deny .*

Any help would be very much appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion