Hi Lorenz The privilege level is something that is being used by the IOS. The ACS will send the priv-level for the user and the IOS will authorize the commands based on the priv level. Priv 15 is something that can't be configured is available by default. Priv 14 is something that we should configure.
If the ACS sends priv 14, then the user will have commands configured for priv 14. If you don't have "aaa authorization exec", then the IOS will expect enable password or secret with the privilege to be configured. Without enable secret or password, you will be locked in the exec mode. Instead of enable password or secret, you can configure enable secret level 14 privilege exec level 14 clear line With these two commands, you will get what you desire. But, if you need to have aaa authorization for exec without enable password or secret, then you need to configure "aa authorization exec". With this, directly placed based on the priv level. For 0 and 1, you will always placed in exec. From 2 to 15, you will be placed in priv exec mode and have command privilege based on the priv level given to you. For your case, just have priv level 14 in ACS and privilege 14 configured as following aaa authentication login vty group tacacs+ aaa authorization exec vty group tacacs+ privilege exec level 14 clear line If you still need command authorization for commands of priv 4, use the following and configure shell command authorization set. aaa new-model ! ! aaa authentication login vty group tacacs+ aaa authorization exec vty group tacacs+ aaa authorization commands 14 vty group tacacs+ line vty 0 4 exec-timeout 0 0 authorization commands 14 vty authorization exec vty login authentication vty Note : If you have priv 15 under vty, the user will get priv 15 no matter what the ACS gives With regards Kings On Fri, Feb 5, 2010 at 2:53 PM, Tating, Lorenzo C. Jr. < [email protected]> wrote: > I am trying to do Shell Command Authorization on my routers using Tacacs. > > I have one user that i place under privilege level 14. I want a level 15 > command (clear line) to be used by that user. Using the "privilege exec > level 14 clear line" works, but I need to implement it on ACS to save me > time from having to enter the command over and over again to many routers. > But I noticed that once my user logged under privilege level 14 (Tacacs > Setting, Privilege Level = 14), the Command Authorization. I cannot bring > the "clear line" command to that level. I tried using this on ASA and it > works, it just seems the router wont allow bringing a level 15 command down > to level 14, without manually configuring "privilege exec level 14 clear > line" > > ACS config: > Per Group Command Authorization > Unmatched Cisco IOS commands > (deny) > > [check] Command: > clear > > Arguments: > (none) > > Unlisted arguments: > permit > > > Any help will be appreciated. > > Sincerely, > Lorenz > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
