From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Wed Nov 08 2006 - 23:28:14 ART
All the command levels you set up for TACACS+ authorization will never
reference the local router, but will be sent to the ACS.
Doesn't matter what you do on the router unless you are referencing certain
commands there (e.g., "aaa authorization commands 5 LOCAUTH local")
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kal
Han
Sent: Wednesday, November 08, 2006 6:11 PM
To: Cisco certification; ccielab
Subject: aaa command authorization using tacacs.
Hello All,
Say I created an user with privilege level 5 on ACS.
so when the user logs in, he is assigned a privilege level of 5.
Now I enabled aaa command authorization on the router for privilege levels
1, 5, 15. ( I did not configure any "privilege exec" or "privilege configure
commands on the router ) I want to leave everything to tacacs.
I configured certain commands to be authorized for this user5 *on tacacs*.
example: on tacacs, I permitted "configure terminal" command.
( which is at privilege level 15 on the router )
Will the user be able to execute that command ??
Will the router even send any request to tacacs when the user executes
"configure terminal" ? given that the user is at privilege level 5 and the
command is by default at level 15. ( or the router simply rejects the cli ?
)
How do we handle such a situation ?
Is creating "privilege exec level 5 configure terminal" only way ( if the
above doesnt work ) ( can tacacs alone handle "complete" command
authorization without any additional config on router, other than the aaa
authorization command ..... )
Please let me know.
Thanks
Kal
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART