11-09-2011 01:11 AM - edited 03-07-2019 03:17 AM
Hi,
I want to set a user account so he has read only access to switches, routers etc. I think i have done everything that it tells me in the documentation but i can't get past the enable prompt where it fail authentication. (command authorization failed.)
Attached is a document on how it is set up on the ACS.
Any help would be appreciated
aaa new-model
!
!
aaa authentication login default group tacacs+ enable local line
aaa authentication login vtymethod group tacacs+ enable local line
aaa authentication login conmethod group tacacs+ enable local line
aaa authentication login auxmethod group tacacs+ enable local line
aaa authentication enable default group tacacs+ enable line
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
tacacs-server host 10.127.244.34
tacacs-server directed-request
tacacs-server key 7 456389
line con 0
logging synchronous
login authentication conmethod
stopbits 1
line vty 0 4
exec-timeout 15 0
password 7 0327
logging synchronous
login authentication vtymethod
transport input ssh
line vty 5 15
exec-timeout 15 0
password 7 03270h391C1E
logging synchronous
login authentication vtymethod
transport input ssh
Solved! Go to Solution.
11-09-2011 02:41 AM
Andrew
In normal operation Cisco IOS uses 2 privilege levels. Privilege level 1 is the default when a user logs in and provides read only type commands. You can get a list of the commands that are available in user mode by entering the help request ? at the user level prompt. Privilege level 15 provides show run commands, config t commands, and other commads tht potentially impact operating performance of the router or switch. You can get a list of the commands that are available in privilege mode by entering the help request ? at the privilege level prompt.
You can assign commands to other privilege levels. But in my experience this is not done very often.
HTH
Rick
11-09-2011 02:11 AM
Andrew
If you want the user to be in read only mode then the user should be at privilege level 1, which is the default privilege level when you log in on the router or switch.
So I am puzzled why you are attempting the enable command. The purpose of enable command is to get from read only user mode to privilege mode. But why are you trying that for a user who should remain at privilege level 1?
I will also point out one detail - you mention an authentication failure, but if you look closely you will see that the failure was not authentication but was authorization
(command authorization failed.)
HTH
Rick
11-09-2011 02:31 AM
Ok. Do you know what the level is for doing show run commands etc
11-09-2011 02:41 AM
Andrew
In normal operation Cisco IOS uses 2 privilege levels. Privilege level 1 is the default when a user logs in and provides read only type commands. You can get a list of the commands that are available in user mode by entering the help request ? at the user level prompt. Privilege level 15 provides show run commands, config t commands, and other commads tht potentially impact operating performance of the router or switch. You can get a list of the commands that are available in privilege mode by entering the help request ? at the privilege level prompt.
You can assign commands to other privilege levels. But in my experience this is not done very often.
HTH
Rick
11-09-2011 02:57 AM
Thanks very much> I will set up a new group with specific commands that can be used
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: