Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Authorization levels - How do you configure them in Cisco Secure?

How do you configure the authorization levels in Cisco Secure for TACACS+ so that certain users can access certain commands on a device?

3 REPLIES
New Member

Re: Authorization levels - How do you configure them in Cisco Se

As shown below I moved commands "clear" and "clear line"

to privilege level 2. Usually You must in enable mode (priv 15) beeing able

to execute command "clear line".

Thereafter you assign shell:priv-lvl=2 to your user or group profile in

Cisco Secure. Make sure that "shell privileges" are enabled for this user

and your NAS checks authorization via TACACS+, too.

aaa new-model

aaa authen login login_check gr tac

aaa author exec exec_check gr tac

privilege exec level 2 clear line

privilege exec level 2 clear

tacacs-server host 1.2.3.4

tac key goodluck

line vty 0 4

login authen login_check

author exec exec_check

New Member

Re: Authorization levels - How do you configure them in Cisco Se

Is that the only way to do this, provide various priviledge levels on each device? In the Group Manager it has an area where you can permit/deny commands and arguments, but I've yet to figure out how to get the NAS to authorize on this feature.

New Member

Re: Authorization levels - How do you configure them in Cisco Se

example permit command "show running-config"

configure at the router

aaa author commands 0 telnet_check gr tacacs+

aaa author commands 1 telnet_check gr tacacs+

aaa author commands 15 telnet_check gr tacacs+

aaa author exec telnet_check gr tacacas+

aaa authen login telnet_check gr tacacs+

.. to define the order of author medhods

line vty 0 4

login authen telnet_check

author exec telnet_check

author comm 0 telnet_check

author comm 1 telnet_check

author comm 15 telnet_check

... to define the interface

configure the user at ciscosecure

enable "shell"

enable "priv"

configure level 15 for priv

... user has priv 15 permissions after logging on (priviledged mode)

ios commands:

general:

radio button: deny all other commands (like debug config, etc)

subfolder:

cmd= show

cmd-arg=permit running-config

radio button: deny all other commands (for show)

927
Views
0
Helpful
3
Replies