From: Anderson Mota Alves (mota.anderson@gmail.com)
Date: Sat Jan 05 2008 - 11:20:30 ARST
Hi everyone,
My doubt maybe really silly for a lot of people, but it's really driving me
crazy each time I need to do it.
I will explain my doubt in two situations:
First case:
Imagine I need to create an user with privilege 7 in the ACS and only
authorize him to configure bgp sub commands using ACS:
In ACS I know that I need to put this user into privilege 7, I usually
create the user, set the password, enable shell (exec) checked, privilege
level (7) and even authorize only the commands needed using Shared Profile
Components, but my question here is, I really need to choose the "Max
Privilege for any AAA Client" option in ACS set to 7 included with an enable
Password in the option "TACACS+ Enable Password" and why?
I know that ACS will only put the user into privilege level 7, then in the
switch or router I need to "downgrade" the commands from level 15 to level 7
with
privilege exec level 7 configure terminal and so on ..
Second case:
In case I need to create an user to be used for administration of the PIX or
the routers (using telnet) for example I usually do like this in the ACS:
Create the user, set the password, Shell (exec) checked, privilege level
(15) and Per User Authorization commands (Permit) without limiting anything
for authorization, but the strange thing for me in this situation is that
even in Cisco examples they recommend you to configure "Max Privilege for
any AAA Client" and set it to 15, my question is why? I could almost
understand for the first situation where I need to limit the user for level
7 but to limit the max to the maximum level in the router which is 15, why?
Any input is really appreciated and HAPPY NEW YEAR!!!!
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST