Solved: Re: shell & enable on ACS 4.0

cassinhee · ‎11-14-2006

I am puaaed about shell and enable and the acordingly configuration on the client.

1)If I check shell under user group on ACS, I configured

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

2) If I also check enable on ACS and configure aaa authentication enable default group tacacs local

can I just use one of the two options or use them together?

Thanks!

a.kiprawih · ‎11-15-2006

You can use them together:

1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd

You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).

But it's better to use TACACS+ for more control/centralized.

2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed

aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.

You can combine this with#1.

HTH

AK

View solution in original post

a.kiprawih · ‎11-15-2006