Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

User unable to issue a sh run command

Hi,

Recently we have configured a TACACS 4.2 version. and i create readonly profile to one group with privilege level as 5. now users are unable to issue a "sh run" command. except that user are able to run all show commands.

Somebody please help me in this.

If possible somebody please send me the document on different privilege levels and the acceptable command in that levels start from 1 to 15.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: User unable to issue a sh run command

For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

1 REPLY

Re: User unable to issue a sh run command

For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

123
Views
0
Helpful
1
Replies
CreatePlease to create content