Hi all,
I have configured a Cisco 7609 router, with aaa, and everything seems to be
working fine except for the authorization for commands:
My configuration is like that:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip tacacs source-interface Loopback1
tacacs-server host 192.168.100.1 timeout 5
tacacs-server key 7 xxxxxxxxxxxxxxxx
I have created a user in a group with privilege level 2, on the TACACS server
(an ACS 4.2), and I have applied a shell authorization set for this group of
level 2 users, with just a few commands, to test if the authorization for the
commands is got from the ACS server.
It seems that is not working, so if a log in on the router, with the level 2
user, and I issue the "show privilege" command, I see, that the privilege is
2, as I configured on the TACACS+ server. But whe I try to issue the commands,
that I included in the shell command set, It doesn4t allow me.
Do anyone have a clue, why my configuration is not working ???
Best regards and thanks in advance !!!
Blogs and organic groups at http://www.ccie.net
Received on Tue Sep 08 2009 - 10:48:50 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART