Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New to TACACS+/Cisco Secure ACS

I am new to using this product & I have a couple of questions..I have users configured & the groups configured (Admin & ReadOnly)..I'm having difficulty with the syntax on my routers & switches when defining the rights/privileges for the admins & readonly users..Does anyone have a sample config that would help..

thanks,

4 REPLIES
Cisco Employee

Re: New to TACACS+/Cisco Secure ACS

Hi,

Looks like your are trying to configure command authorization ie. control what command which user can execute on the device.

There are two ways to do it :-

1. Define the commands which each privilege level has access to on the device locally

2. Control the commands a group of user can enter on which device via ACS.

Let us know which one you are trying to configure and I will give a sample config.

Regards,

Vivek

New Member

Re: New to TACACS+/Cisco Secure ACS

Number #2 sounds more like it..Control what access/commands a group can do

Cisco Employee

Re: New to TACACS+/Cisco Secure ACS

Hi,

For that you need exec authentication and command authorization on the device and shell command authorization set on ACS.

So on the device you would need the following minimum commands :-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization command 1 default group tacacs+ local

aaa authorization command 15 default group tacacs+ local

tacacs-server host key

On the ACS side, the following link will help :-

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697557

Regards,

Vivek

New Member

Re: New to TACACS+/Cisco Secure ACS

That works!

Thanks for your help!

157
Views
5
Helpful
4
Replies