06-23-2012 10:04 AM - edited 03-10-2019 07:13 PM
Hi
i am trying to set specific SHOW arguments for a user , but the user always gain access to all show arguments , please find below
privilege exec level 5 show ip route
aaa authorization commands 5 TELNET group tacacs+
aaa authorization exec TELNET group tacacs+
aaa authentication login TAC group tacacs+
tacacs-server host 10.0.0.100 key ccie-acs
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
line vty 0 4
password cisco
authorization commands 5 TELNET
authorization exec TELNET
login authentication TAC
Solved! Go to Solution.
06-23-2012 10:33 AM
You should use standard command authorization config on the device. The command level of show ip route you modified that is actually local to device. In your case we are testing it with tacacs.
aaa new-model aaa authorization config-commands aaa authorization commands 0 TELNET group tacacs+ local aaa authorization commands 1 TELNET group tacacs+ local aaa authorization commands 15 TELNET group tacacs+ local
Try with this and see how it goes.
Regards,
Jatin
06-23-2012 10:33 AM
You should use standard command authorization config on the device. The command level of show ip route you modified that is actually local to device. In your case we are testing it with tacacs.
aaa new-model aaa authorization config-commands aaa authorization commands 0 TELNET group tacacs+ local aaa authorization commands 1 TELNET group tacacs+ local aaa authorization commands 15 TELNET group tacacs+ local
Try with this and see how it goes.
Regards,
Jatin
06-24-2012 12:35 PM
Thanks Jatin it worked as you advised , but when i really need to define extra level , what tweaks or advanced secnario may require that ?
06-24-2012 01:10 PM
By default, there are three command levels on the router:
privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
Hope this helps.
Regards,
Jatin
Do rate helpful posts-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide