Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do disable enable privilege for ACS Tacacs+

I have a MSFC with the following configuration.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

I have a ACS v3.0 running on NT.

I have setup an advanced TACACS+ option in the ACS that can enable privilege for users. But however, the user can still login to the MSFC and issue "enable" command.

Is there a better way on the ACS to deny a certain user from executing the "enable" command so that he cannot goto enable mode even though he may have the secret password which is set in the MSFC.

Thanks

David

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How do disable enable privilege for ACS Tacacs+

David

You can do command authorization and deny that command 'enable'.

So on the router you will have :

aaa authorization commands 0 default group taca local

On the ACS, for that user, under the command authorization, add the command as enable, arguments ' deny . '. Make sure you also have unlisted arguments denied.

Once command authorization had been enabled on the router, every user will be checked for authorization . So for the other users , on the ACS box, make sure you have -Unmatched Cisco IOS commands set for Permit and also Unlisted arguments set for Permit.

Make the changs on the ACS first and then add the config on the router.

Thanks

Nisha

1 REPLY
Cisco Employee

Re: How do disable enable privilege for ACS Tacacs+

David

You can do command authorization and deny that command 'enable'.

So on the router you will have :

aaa authorization commands 0 default group taca local

On the ACS, for that user, under the command authorization, add the command as enable, arguments ' deny . '. Make sure you also have unlisted arguments denied.

Once command authorization had been enabled on the router, every user will be checked for authorization . So for the other users , on the ACS box, make sure you have -Unmatched Cisco IOS commands set for Permit and also Unlisted arguments set for Permit.

Make the changs on the ACS first and then add the config on the router.

Thanks

Nisha

281
Views
0
Helpful
1
Replies