Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to assign privilege levels with TACACS+.

I'm using Cisco Secure ACS 3.3 for Windows.

I need to define max privilege on a per network device group basis but all users have the privilege set to 1 when they connect to router.

Using the debug, I can understand that ACS sends the attribute with a value of 1.

Thanks.

Andrea.

3 REPLIES

Re: How to assign privilege levels with TACACS+.

For shell authorization to work, the users shoudl be asigned a privilege level of 15 but their access can be restricted to certain commands

IN your case you need to define a group which require similar sets of privileges and then assign the restricted shell authorization set to this group.

Have a look at the attached file

Narayan

New Member

Re: How to assign privilege levels with TACACS+.

Many thanks for your help!

I don't understand why ACS lets you to configure a privilege level for a NDG!?

Andrea.

Re: How to assign privilege levels with TACACS+.

That is for enable privilege. Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

333
Views
15
Helpful
3
Replies