Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3400
Views
0
Helpful
1
Replies

How do disable enable privilege for ACS Tacacs+

Go to solution
d-tay
Level 1
Level 1

‎02-17-2003 10:17 PM - edited ‎03-10-2019 07:09 AM

I have a MSFC with the following configuration.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

I have a ACS v3.0 running on NT.

I have setup an advanced TACACS+ option in the ACS that can enable privilege for users. But however, the user can still login to the MSFC and issue "enable" command.

Is there a better way on the ACS to deny a certain user from executing the "enable" command so that he cannot goto enable mode even though he may have the secret password which is set in the MSFC.

Thanks

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nchandy
Cisco Employee
Cisco Employee

‎02-20-2003 01:49 PM

David

You can do command authorization and deny that command 'enable'.

So on the router you will have :

aaa authorization commands 0 default group taca local

On the ACS, for that user, under the command authorization, add the command as enable, arguments ' deny . '. Make sure you also have unlisted arguments denied.

Once command authorization had been enabled on the router, every user will be checked for authorization . So for the other users , on the ACS box, make sure you have -Unmatched Cisco IOS commands set for Permit and also Unlisted arguments set for Permit.

Make the changs on the ACS first and then add the config on the router.

Thanks

Nisha

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nchandy
Cisco Employee
Cisco Employee

‎02-20-2003 01:49 PM

David

You can do command authorization and deny that command 'enable'.

So on the router you will have :

aaa authorization commands 0 default group taca local

On the ACS, for that user, under the command authorization, add the command as enable, arguments ' deny . '. Make sure you also have unlisted arguments denied.

Once command authorization had been enabled on the router, every user will be checked for authorization . So for the other users , on the ACS box, make sure you have -Unmatched Cisco IOS commands set for Permit and also Unlisted arguments set for Permit.

Make the changs on the ACS first and then add the config on the router.

Thanks

Nisha

0 Helpful
Customers Also Viewed These Support Documents