Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restriction Of User Privilages Through Tacacs+

I would like to know how to restrict a user to configure only interface serial after entering to the configuration mode. The user authentication is done using a Tacacs+ server .

New Member

Re: Restriction Of User Privilages Through Tacacs+

There isn't a standardized way to perform to limit all commands for one interface.

You will need to specifically permit all the desired commands. All other commands

can be implicitly denied.

The two most common ways to do this are:

1) Locally, not using tacacs. This is obviously not as scalable a solution.

However, it doesn't use up all the bandwidth requiring everyone to authenticate

to a aaa server for every command.

Using this method, you can assign the user a priv level other than 15, then

assign the allowed commands to the same priv level.

i.e. user has priv level 9

config t=priv 9

int serial=priv 9

encapsulation frame-relay=priv 9


you must explicity change each of these commands to privl 9

2) You can do the same thing using tacacs, by using command authorization.

on the router:

aaa authorization commands 15 default tacacs

This will require authorization from the tacacs server for all level 15 commands.

In your TACACS server, you will have to configure the desired commands.

How you implement it is application specific - ie tacacs freeware, CSUnix,

or CSNT.

If you are using the most common one, ACS NT, then check the IOS commands

box; check the deny all unmatch commands box, and enter the desired command.

After you submit it, it will give you another box to enter an additional command. Just

repeat the process for each additional command you want to permit.

You will find it useful to implement this using something other than the default

aaa method, to prevent locking yourself out of the router. I.E.

aaa authorization commands 15 vtymethod tacacs none

line vty 0 4

authorization commands 15 vtymethod

Establish a console session and enable debug aaa authentication

and debug aaa authorization while you're initially configuring this

so you can proactively troubleshoot while you're configuring.



CreatePlease login to create content