Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TACACS+ for Device Management Security

Just would like to ask your assistance and more ideas about the above subject.

When TACACS+ is used for device management ( example; in a router ), when a user is defined in the ACS that he should not be able to use reload/copy commands inside the router. After defining it, why at CLI mode the authorization commands being defined which is to deny it will not take effect. It took effect only at telnet mode.

What security commands can be applied at the router side or at the ACS side that even at CLI mode, a user is also controlled what commands he is allowed to input/used.

Thank you and looking forward for your suggestions/work arounds.

Vivira Alastra

3 REPLIES
New Member

Re: TACACS+ for Device Management Security

What do you mean by CLI mode, is it the console connection, in certain version authorization is disabled in console and that could be the reason.

Have you addedd the command

aaa authorization config-commands

and see if there is any difference.

Silver

Re: TACACS+ for Device Management Security

If you are referring CLI to be EXEC (privileg mode) then probably you are missing command authorization lines missing.

aaa authorization exec default tacacs+ local

aaa authorization commands 0 default tacacs+ local

aaa authorization commands 15 default taccas+ local

If you have the above commands and still if it doesn't work, then my suggestion would be give us the profile, possibility that profile was not created properly.

New Member

Re: TACACS+ for Device Management Security

To make your authorization work while connected to the console, use this hidden command

aaa authorization console

If you are accessing the console using a reverse telnet connection, use this published command

aaa authorization reverse-access default / list-name method1..method2

169
Views
0
Helpful
3
Replies
CreatePlease to create content