because sometimes you may have users that you don't want to necessary give shell access. Without this to reject it all users in acs will have atleast priv 1 access to everything.
I have used this extensively in production. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Saturday, June 25, 2011 6:48 AM To: [email protected] Subject: [OSL | CCIE_Security] Exec authorization without shell access Hi all If the router is configured for exec authorization and shell (exec) is not enabled in the user account in the TACACS server (ACS server), the authorization fails. . But, I wonder why it has been has been decided to reject the user login. I agree, the user doesn't have shell privilege but still he/she can be given priv 0 access as the user has the passed the authenticated If the user needs privilege access, he/she can use enable password to get in. aaa authentication login auth group tacacs+ aaa authorization exec athr group tacacs+ line vty 0 4 authorization exec athr login authentication auth Any thoughts? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
