Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 Device Admin privilege assignment

I think I am doing the same thing as described in this document: https://supportforums.cisco.com/docs/DOC-16027

However, my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.

The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).

Also, I found this document via Google:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml#t2

The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.

So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?

Any help would be great! Thanks!

--

Wei

1 REPLY
New Member

Re: ACS 5.1 Device Admin privilege assignment

Indeed, a device must have the "aaa authorization exec" command for privilege assignment from ACS to work.

In my device, running IOS 12.2(53)SG3, the configuration should be:

    aaa authorization exec default local group tacacs+

That allows the device to try the local enable secret and then TACACS+ authorization.

748
Views
0
Helpful
1
Replies
CreatePlease login to create content