Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

shell & enable on ACS 4.0

I am puaaed about shell and enable and the acordingly configuration on the client.

1)If I check shell under user group on ACS, I configured

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

2) If I also check enable on ACS and configure aaa authentication enable default group tacacs local

can I just use one of the two options or use them together?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: shell & enable on ACS 4.0

You can use them together:

1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd

You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).

But it's better to use TACACS+ for more control/centralized.

2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed

aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.

You can combine this with#1.

HTH

AK

1 REPLY

Re: shell & enable on ACS 4.0

You can use them together:

1. aaa authentication enable default group tacacs local --> use tacacs+, if tacacs+ failed/unreachable, use local userID/pwd

You can use this only, but if you don't define authorization, make sure your user ID in TACACS+ has priv 15. PIX accept either priv 15 or 2 only (priv 2 is default if you create user ID in PIX without specifying priv level).

But it's better to use TACACS+ for more control/centralized.

2. aaa authorization exec default group tacacs+ local --> use tacacs+ to authorize what/cmd to execute, use local if tacacs+ failed

aaa authorization commands 15 default group tacacs+ local --> use tacacs+ to authorize cmd for user with priv level 15 can execute, and refer to local authorization if tacacs+ failed/unreachable.

You can combine this with#1.

HTH

AK

123
Views
0
Helpful
1
Replies
CreatePlease to create content