Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1672
Views
0
Helpful
3
Replies

Authorization levels - How do you configure them in Cisco Secure?

ogaldona
Level 1
Level 1

‎04-24-2001 07:05 PM - edited ‎03-08-2019 08:10 PM

How do you configure the authorization levels in Cisco Secure for TACACS+ so that certain users can access certain commands on a device?

Labels:
0 Helpful
3 Replies 3

kteich
Level 1
Level 1

‎04-26-2001 10:50 AM

As shown below I moved commands "clear" and "clear line"

to privilege level 2. Usually You must in enable mode (priv 15) beeing able

to execute command "clear line".

Thereafter you assign shell:priv-lvl=2 to your user or group profile in

Cisco Secure. Make sure that "shell privileges" are enabled for this user

and your NAS checks authorization via TACACS+, too.

aaa new-model

aaa authen login login_check gr tac

aaa author exec exec_check gr tac

privilege exec level 2 clear line

privilege exec level 2 clear

tacacs-server host 1.2.3.4

tac key goodluck

line vty 0 4

login authen login_check

author exec exec_check

0 Helpful

glennsftn
Level 1
Level 1
In response to kteich

‎10-05-2001 10:36 AM

Is that the only way to do this, provide various priviledge levels on each device? In the Group Manager it has an area where you can permit/deny commands and arguments, but I've yet to figure out how to get the NAS to authorize on this feature.

0 Helpful

kteich
Level 1
Level 1
In response to glennsftn

‎10-20-2001 01:19 PM

example permit command "show running-config"

configure at the router

aaa author commands 0 telnet_check gr tacacs+

aaa author commands 1 telnet_check gr tacacs+

aaa author commands 15 telnet_check gr tacacs+

aaa author exec telnet_check gr tacacas+

aaa authen login telnet_check gr tacacs+

.. to define the order of author medhods

line vty 0 4

login authen telnet_check

author exec telnet_check

author comm 0 telnet_check

author comm 1 telnet_check

author comm 15 telnet_check

... to define the interface

configure the user at ciscosecure

enable "shell"

enable "priv"

configure level 15 for priv

... user has priv 15 permissions after logging on (priviledged mode)

ios commands:

general:

radio button: deny all other commands (like debug config, etc)

subfolder:

cmd= show

cmd-arg=permit running-config

radio button: deny all other commands (for show)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents