From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 08 2006 - 23:10:43 ART
Hello All,
Say I created an user with privilege level 5 on ACS.
so when the user logs in, he is assigned a privilege level of 5.
Now I enabled aaa command authorization on the router for privilege levels
1, 5, 15. ( I did not configure any "privilege exec" or "privilege configure
commands on the router ) I want to leave everything to tacacs.
I configured certain commands to be authorized for this user5 *on tacacs*.
example: on tacacs, I permitted "configure terminal" command.
( which is at privilege level 15 on the router )
Will the user be able to execute that command ??
Will the router even send any request to tacacs when the user executes
"configure terminal" ? given that the user is at privilege level 5 and the
command
is by default at level 15. ( or the router simply rejects the cli ? )
How do we handle such a situation ?
Is creating "privilege exec level 5 configure terminal" only way ( if the
above doesnt work )
( can tacacs alone handle "complete" command authorization without any
additional
config on router, other than the aaa authorization command ..... )
Please let me know.
Thanks
Kal
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART