Solved: Setting readonly access on switches and routers using Tacacs

smith606306 · ‎11-09-2011

Hi,

I want to set a user account so he has read only access to switches, routers etc. I think i have done everything that it tells me in the documentation but i can't get past the enable prompt where it fail authentication. (command authorization failed.)

Attached is a document on how it is set up on the ACS.

Any help would be appreciated

aaa new-model

!

aaa authentication login default group tacacs+ enable local line

aaa authentication login vtymethod group tacacs+ enable local line

aaa authentication login conmethod group tacacs+ enable local line

aaa authentication login auxmethod group tacacs+ enable local line

aaa authentication enable default group tacacs+ enable line

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

aaa session-id common

tacacs-server host 10.127.244.34

tacacs-server directed-request

tacacs-server key 7 456389

line con 0

logging synchronous

login authentication conmethod

stopbits 1

line vty 0 4

exec-timeout 15 0

password 7 0327

logging synchronous

login authentication vtymethod

transport input ssh

line vty 5 15

exec-timeout 15 0

password 7 03270h391C1E

logging synchronous

login authentication vtymethod

transport input ssh

Richard Burts · ‎11-09-2011

Andrew

In normal operation Cisco IOS uses 2 privilege levels. Privilege level 1 is the default when a user logs in and provides read only type commands. You can get a list of the commands that are available in user mode by entering the help request ? at the user level prompt. Privilege level 15 provides show run commands, config t commands, and other commads tht potentially impact operating performance of the router or switch. You can get a list of the commands that are available in privilege mode by entering the help request ? at the privilege level prompt.

You can assign commands to other privilege levels. But in my experience this is not done very often.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-09-2011

Andrew

If you want the user to be in read only mode then the user should be at privilege level 1, which is the default privilege level when you log in on the router or switch.

So I am puzzled why you are attempting the enable command. The purpose of enable command is to get from read only user mode to privilege mode. But why are you trying that for a user who should remain at privilege level 1?

I will also point out one detail - you mention an authentication failure, but if you look closely you will see that the failure was not authentication but was authorization

(command authorization failed.)

HTH

Rick

HTH

Rick

smith606306 · ‎11-09-2011

Ok. Do you know what the level is for doing show run commands etc

Richard Burts · ‎11-09-2011

Andrew

In normal operation Cisco IOS uses 2 privilege levels. Privilege level 1 is the default when a user logs in and provides read only type commands. You can get a list of the commands that are available in user mode by entering the help request ? at the user level prompt. Privilege level 15 provides show run commands, config t commands, and other commads tht potentially impact operating performance of the router or switch. You can get a list of the commands that are available in privilege mode by entering the help request ? at the privilege level prompt.

You can assign commands to other privilege levels. But in my experience this is not done very often.

HTH

Rick

HTH

Rick

smith606306 · ‎11-09-2011

Thanks very much> I will set up a new group with specific commands that can be used