07-08-2009 09:34 AM - edited 03-10-2019 04:34 PM
Dear All, I am trying to setup a group which has priv 15 access & they should see enable mode after authentication via ACS, they should not be asked for enable password. How ca I do this, I am unable to do so. I tried it but its not working. What I need is ACS should assign priv level 15 to configured users. I dont want to use Shell commands set.
Same thing I need for ASA firewall as well..
Is there any way to achive this.
07-08-2009 10:16 AM
For IOS devices,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
On ACS
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
This feature is not supported on ASA/firewalls.
Regards,
~JG
Do rate helpful posts
07-08-2009 10:30 AM
I tried this but it didnt work for me see my config below on deivces
aaa new-model
aaa group server tacacs+ bwaaa
server 10.2.6.1
server 10.2.6.2
ip tacacs source-interface Vlan1111
!
aaa authentication login aaa-list group bwaaa local
aaa authentication enable default group bwaaa enable
aaa authorization exec aaa-list group bwaaa local
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
07-08-2009 12:03 PM
First try with simple vanilla config
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
If still issue is there get the debugs then
debug aaa authentication
debug aaa authorization
debug tacacs
Regards,
~JG
07-09-2009 11:15 AM
Hi, Thanks it worlked with default list but it is not working with my defined list..I dont know whats the reason behind that..do you have any idea
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide