Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

TACACS+

Hi,

Is there a way to allow a user to have access to the previleged execution level with out being able to go to the configuration level.

In other words i need the user to have access to all the commands available in the previleged exec level with out being able to go to the configuration level typing the command 'configure' .

is defining privilege levels for the commands the only way to do this ? I defined a enable password with privilege 10 and then defined the privilege level of the command "show running configuration " as 10. So i expected the user to see the config.

But the configuration displayed was blank. is this beacuse the commands in the configuration had higher privelege than 10 ?

I want to allow a user to access the privilege level and execute some command like "show ip route" or "clear counter" along with the ability to see the full running configuration. At the same time he should not be allowed to go to the configuration level.

thanks and regards,

jimmy.

2 REPLIES
Cisco Employee

Re: TACACS+

You need to define privilege levels for the set of commands you want to group..

Here is the good url for that

http://www.cisco.com/warp/public/480/PRIV.html

Community Member

Re: TACACS+

Hi,

I'm comfortable with the configurations which i have to do at the router but need some help with the configuration of the TACACS+ server . I'm using the TACACS+ freeware server provided by Cisco for beginners.

As per the document send by you...to assign a privilege level of 7 to a user seven the configuration on the server should be

user = seven {

login = cleartext seven

service = exec {

priv-lvl = 7

}

}

now my question is ..if i configure the username in this manner..does the previlege level of 7 gets associated with the user?

When i telnet to a router and enter the username and password as seven i log in to the exec level.

From here how i log into the priveleg level 7 ?? I need some more clarity in this regard.

Currently what i have done is i have defined username and password for the exec level. Also i have defined password for a particular enable level.So if i type enable 10 at the exec promt..the TACACS+ server takes enable 10 as the username and allows connections if i enter the correct enable 10 password defined on the server? Is this the way of doing this.

What i'm looking for is ..a user has a username and password (test10 and pass10 respectively) with access to a particular privilege , say 10 . He also has a enable password for this level say enab10

Now when he telnets to a router ..it asks for a username and password..he enters test10 and pass10 ..then at the exec prompt > he types

enable , the router asks for a password , he enters enab10 and he land into privilege 10. Is this possible to attain ? Your help is appreciated.

regards,

jimmy.

146
Views
0
Helpful
2
Replies
CreatePlease to create content