Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Shell profile without a Command Set in ACS 5.1 - TACACS

Hi all,

I have created a shell profile with a default Privilege level of 15, I am able to successfully call this via an Access Service Rule. The issue I have however is that depite having the # symbol after I log in, the switch will only allow me to perform priv 15 level commands if I also bind an 'Allow All' command set to the results in the access service rule.

Is this how it should work or should the shell profile alone with the priv 15 setting be enough? Am I missing something?

The reason I ask is that in ACS 4.2 I would just set the tick Shell (exec) and set the Priv level to 15 in the appropriate group and would be good.

Thanks in advance

Rhodri

1 REPLY
New Member

Re: Shell profile without a Command Set in ACS 5.1 - TACACS

FYI

The issue here was the use of the 'aaa authorization commands' command.

If I don't use these commands, then I only need the shell profile as no command authorization takes place post authentication.

If using these commands, then you must also bind a command set to the results of the rule as the NAD will query the AAA server for each command.

If I want to permit all commands for a certain priv level, I use a 'permit all commands' command set which will then allow all commands within a specific priv level.

Here's an example NAD config:

aaa group server tacacs+
server 10.10.10.10

aaa authentication login default local
aaa authentication login Primary group local
aaa authentication login Secondary local
aaa authorization config-commands
aaa authorization exec default group if-authenticated
aaa authorization commands 0 default group if-authenticated
aaa authorization commands 1 default group if-authenticated
aaa authorization commands 3 default group if-authenticated
aaa authorization commands 15 default group if-authenticated
aaa accounting exec default start-stop group
aaa accounting commands 0 default start-stop group
aaa accounting commands 1 default start-stop group
aaa accounting commands 3 default start-stop group
aaa accounting commands 15 default start-stop group

line con 0
login authentication Secondary
line vty 0 4
login authentication Primary

Hope this helps someone

678
Views
0
Helpful
1
Replies
CreatePlease login to create content