Correction at the bottom: On Fri, Feb 5, 2010 at 5:12 PM, Kingsley Charles <[email protected] > wrote:
> Hi Lorenz > > The privilege level is something that is being used by the IOS. The ACS > will send the priv-level for the user and the IOS will authorize the > commands based on the priv level. Priv 15 is something that can't be > configured is available by default. Priv 14 is something that we should > configure. > > If the ACS sends priv 14, then the user will have commands configured for > priv 14. > > If you don't have "aaa authorization exec", then the IOS will expect enable > password or secret with the privilege to be configured. Without enable > secret or password, you will be locked in the exec mode. Instead of enable > password or secret, you can configure > > enable secret level 14 > privilege exec level 14 clear line > > With these two commands, you will get what you desire. > > > But, if you need to have aaa authorization for exec without enable password > or secret, then you need to configure "aa authorization exec". With this, > directly placed based on the priv level. For 0 and 1, you will always placed > in exec. From 2 to 15, you will be placed in priv exec mode and have command > privilege based on the priv level given to you. > > > For your case, just have priv level 14 in ACS and privilege 14 configured > as following > > aaa authentication login vty group tacacs+ > aaa authorization exec vty group tacacs+ > > privilege exec level 14 clear line > > > If you still need command authorization for commands of priv 4, use the > following and configure shell command authorization set. > > > aaa new-model > ! > ! > aaa authentication login vty group tacacs+ > aaa authorization exec vty group tacacs+ > aaa authorization commands 14 vty group tacacs+ > > > line vty 0 4 > exec-timeout 0 0 > authorization commands 14 vty > authorization exec vty > login authentication vty > > > > Note : For the case, where you don't have aaa authorizaion exec and if you > have priv 15 under vty line, then the user will get priv 15. > > > > With regards > Kings > > On Fri, Feb 5, 2010 at 2:53 PM, Tating, Lorenzo C. Jr. < > [email protected]> wrote: > >> I am trying to do Shell Command Authorization on my routers using >> Tacacs. >> >> I have one user that i place under privilege level 14. I want a level 15 >> command (clear line) to be used by that user. Using the "privilege exec >> level 14 clear line" works, but I need to implement it on ACS to save me >> time from having to enter the command over and over again to many routers. >> But I noticed that once my user logged under privilege level 14 (Tacacs >> Setting, Privilege Level = 14), the Command Authorization. I cannot bring >> the "clear line" command to that level. I tried using this on ASA and it >> works, it just seems the router wont allow bringing a level 15 command down >> to level 14, without manually configuring "privilege exec level 14 clear >> line" >> >> ACS config: >> Per Group Command Authorization >> Unmatched Cisco IOS commands >> (deny) >> >> [check] Command: >> clear >> >> Arguments: >> (none) >> >> Unlisted arguments: >> permit >> >> >> Any help will be appreciated. >> >> Sincerely, >> Lorenz >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
