Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS Command authorization


I'm trying to implement TACACS command authorization so that I can implement different levels of access to a firewall (admin, read-only and monitor). The reason is because I need to allow access for our NOC team to view the configuration without changing anything and for some users allow them to monitor the firewall.

I have used a configuration in the lab with the following version and it is working fine.

Cisco Adaptive Security Appliance Software Version 8.0(4)28
Device Manager Version 6.0(2)

So then I decided to start implementing the same configuration on the customer firewalls and on the first one I tried it, it was not working the same way allowing users with privilege level 5 to login to ASDM and change whatever they wanted. After a lot of troubleshooting I saw that the only difference was the ASDM version (asdm-613.bin). When I copied version 6.0(2) the configuration started to work again and the users with priv-level 5 were no longer able to change the configuration.

It worries me that different versions behave completely different so I would like to understand what should I expect and if there is any error in my configuration that would provoke this.

I am using Tacacs tac_plus version F4.0.4.19.


group = noc {
    default service = permit
    enable = cleartext "mypassword"
    login = cleartext "mypassword"
    service = exec {
     "priv-lvl" = 5

    cmd = show {
      permit .*

    cmd = exit {
     permit .*

    cmd = configure {
     deny .*

Any help would be very much appreciated.


CreatePlease login to create content