×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

TACACS default priv exec level

Unanswered Question
Jul 26th, 2006
User Badges:

Hello,


I'm testing the new ACS 4.0 for some feature like .1x.

For the authentication I use a linux box with tacacs+ and all works fine.


I try the tacacs coming from ACS but I don't understand why my account don't go to # lvl 15 priv but I need to insert the enable command.


On ACS my account is lvl 15 and this is my configuration on the test switch:


aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default wait-start group tacacs+

aaa accounting system default wait-start group tacacs+


Could some one help me?


thanks you,

valentino

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
annnguy Fri, 07/28/2006 - 08:45
User Badges:

You'll need to ensure that the tacacs server is actually passing back the privilege level for Shell Exec. Make sure that your privilege configuration is for the TACACS+ Settings > Shell (exec) settings, not the max enable privilege.



You can also verify whether or not ACS is actually sending the privilege for shell exec if you turn on "debug tacacs". It should look something like...



Jul 28 09:25:02.157: TPLUS: Sending AV service=shell

Jul 28 09:25:02.157: TPLUS: Sending AV cmd*

Jul 28 09:25:02.157: TPLUS: Authorization request created for 4(annie)

Jul 28 09:25:02.157: TPLUS: using previously set server 172.16.242.222 from group tacacs+

.....


Jul 28 09:25:02.173: TPLUS(00000004)/0/8370E638: Processing the reply packet

Jul 28 09:25:02.173: TPLUS: Processed AV priv-lvl=15

Jul 28 09:25:02.173: TPLUS: received authorization response for 4: PASS




Sincerely,

Annie

Actions

This Discussion