Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS-Different Access for users

Hi, I tried searching this forum, and did not find information specific to my situation, but I apologize if this has previously been addressed.

What I am looking to do:

Local user configured on switch (Admin) should be placed into Exec mode upon initial login, and then have to type "Enable" and put in Enable password to get into Enable mode.

I have a Secure ACS server, integrated into Win2k3 Active Directory database. This works fine for authenticating users via their Domain Account.

I will create 2 AD groups, one for unrestricted access to the devices, and one for restricted access for certain users, and set the privilege levels per group in the ACS server. I'm not too worried about this.

My question is, how do I set it so that the local user authentication goes into Exec mode (not to Enable mode), yet users in the Unrestricted AD/ACS group go directly into Enable mode, and users in the Restricted group go into Exec mode?

One more note, I am looking to implement this on 20+ switches, each have different passwords assigned.

Current config:

aaa new-model

aaa authentication login default group tacacs+ local

username admin password 7 xxxxxxx

Thanks in advance for your help. If you need any more information, please let me know!



Re: ACS-Different Access for users


The local user account is only used when the TACACs server is unavailable. At that point does it really matter what mode the account is thrown into?

New Member

Re: ACS-Different Access for users

Ok, that makes sense. Thanks for the reply!

CreatePlease to create content