tacacs AAA and privilege level 7

mike.hemingway · ‎09-01-2011

I've setup a group on tacacs server called acsrestricted and mapped it to AD security group. I've set this group to privilege level 7 on tacacs server.

I need this group to view the "show run" config on a router. Privilege level 7 allows the user to use some other show commands but not "show run". How can i configure this on tacacs?

Richard Burts · ‎09-05-2011

Michael

I am not sure that I am understanding your post correctly. As I understand it you have created a group for some users who would operate at privilege level 7. I gather that this works and that users in this group do authenticate and are assigned to privilege level 7. You say that some show commands are assigned to them but not the show run command. This would seem to be simple to solve - you make sure that show with a parameter of run is assigned to them. But there is something not simple that makes this not work. Part of the Cisco implementation of privilege levels is that in show run a user can not view any parameter that they do not have permission to change.

Perhaps it might work for your situation if you give those users access to show config. show config does not have the same restriction as show run.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

mike.hemingway · ‎09-06-2011

Richard,

I meant to say earlier that some of show commands are assigned this acsrestricted group using privilege level 7 are enabled by default. I didn't make any changes in the " shell command authorization set " in ACS group settings.

The only change i've made so far is check the shell (exec) and privilege level 7 in group setup>acsrestricted>edit settings on the ACS 4.2. However, i'm unclear as to how to assign the show command with the parameter config (i like this better then the parameter run) on ACS 4.2. Can you help me with with syntex on ACS 4.2. Your help would be greatly appreciated.

Mike