11-02-2005 09:09 AM
I have a CSS 11506 (7.40.1.03)configured as a TACACS client with:
virtual authentication primary tacacs
virtual authentication secondary local
tacacs-server key <our key>
tacacs-server frequency 0
tacacs-server <ip addr> 49 primary frequency 0
tacacs-server <ip addr> 49 frequency 0
tacacs-server account config
(no tacacs-server authorize config)
Whenever any TACACS user telnets or ssh's and logs into the CSS, they are connected in "privileged" mode ("#" prompt), no matter what their TACACS profile may be. Our ACS system is not set up for authorization, and works fine on all our other routers and switches.
I would expect the user to be in "user" (non-privileged) mode when they connect. Am I missing something?
CSS11506# sho tacacs-server
Per-Server Status:
IP/Port State Primary Authen. Author. Account
------- ----- ------- ------- ------- ------
<ip addr>:49 Alive Yes 9 0 5
<ip addr>:49 Alive No 0 0 0
Totals: 9 0 5
Per-Server Configuration:
IP/Port Key Server Timeout Server Frequency
------- --- -------------- ----------------
<ip addr>:49 Not Configured None 0
<ip addr>:49 Not Configured None 0
Global Configuration Parameters:
Global Timeout: 5
Global KAL Frequency: 0
Global Key: Configured
Authorize Config Commands: No
Authorize Non-Config Commands: No
Account Config Commands: Yes
Account Non-Config Commands: No
Send Full Command: Yes
11-06-2005 02:49 AM
you need authorization for setting up privilege.
Regards,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide