[nsp] TACACS Authentication for telnet users

Tejal Shah tejal.shah at in.iqara.net
Mon Jul 19 06:27:28 EDT 2004


Hi Oli,

Below is the config i did in profile
user = xxxxx {
       login = des 9Yu3082mqnBzw
       service = exec {
        priv_lvl=15
        }
    }

and on Router
=============

aaa group server tacacs+ tacgrp
 server x.x.x.x

aaa authentication login default local
aaa authentication login login-auth-list group tacgrp local line
aaa authorization exec login-auth-list group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

I am able to authenticate with user xxxxx but not getting priv-level 15
access.
I have to give enable password for doing any change.

Regards
Tejal Shah

----- Original Message ----- 
From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
To: "Tejal Shah Shah" <shahtejal at gmail.com>; "NSP List"
<cisco-nsp at puck.nether.net>
Sent: Monday, July 19, 2004 2:53 PM
Subject: RE: [nsp] TACACS Authentication for telnet users


> [ sorry, now the complete email ]
>
> include the following lines in your users' tacacs profile
>
>         service = exec {
>                 priv-lvl = 15
>         }
>
>
> and enable exec authorization via "aaa authorization exec default group
> tacacs+ if-authenticated" on your devices.
>
> oli
>
>
> Tejal Shah Shah <> wrote on Monday, July 19, 2004 11:12 AM:
>
> > Hello All,
> >
> > As of now i am using TACACS for telnet user authentication ,
> > i m defining uid & pasword in tacacs config file on TACACS server
> > running on linux.
> >
> > After user get authenticate on TACACS server,
> > for login to enable mode i have to communicate enable password to all
> > of them or enable level password on which limited command are allowed.
> >
> > How can u define the priv-level in tacacs config so that user will get
> > enable level access as per defined in tacacs server.So that i dont
> > need to comminicate enable password any more.
> >
> >
> > Regards
> > Shah
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>




More information about the cisco-nsp mailing list