David and all, Thanks a lot for your reply and time..
Is there any way If I can do this without using External RADIUS/TACACS server ,or by using just router commands??? Cant afford to use external server. :) Thanks again. >From: "David Tran" >To: "IT Guy" , >Subject: Re: Typical Access Server setting [7:27437] >Date: Tue, 27 Nov 2001 09:50:26 -0500 > >Tom, >The best way (abeit not the easiest) to get this done is via TACACS. Set >up >a TACACS >box with Cisco Freeware version (if you are a cheap skate like myself). >Furthermore, you >need to implement AAA authorization on the router for this to work. With >AAA aauthorization, >you can even restrict users from seeing the configuration even if he/she >has >enable privilege. Here >is a sample of what is needed to be configured on the router: > >aaa new-model >aaa authentication login default group tacacs+ local enable >aaa authentication login usenone none >aaa authentication enable default group tacacs+ enable >aaa authorization commands 0 default group tacacs+ if-authenticated >aaa authorization commands 15 default group tacacs+ if-authenticated none >aaa accounting send stop-record authentication failure >aaa accounting exec default start-stop group tacacs+ >aaa accounting commands 0 default start-stop group tacacs+ >aaa accounting commands 1 default start-stop group tacacs+ >aaa accounting commands 15 default start-stop group tacacs+ > >The TACACS server is where you restrict user access to the router. For >example, I have a user name "reg". This user can has access to the >privilege mode; however, this user can NOT use the "show running" to >view the configuration. The drawback to AAA authorization, at least in the >way I implement it is that if the router somehow, loses connectivity to the >TACACS server, user "reg" can have complete control of the router. >However, in almost all cases, the router is configured to have at least 2 >TACACS servers for redundancy. Here is a snip of the login sequence for >user "reg": > >User Access Verification > >Username: reg >Password: > >ACCESS-SERVER>en >Password: >ACCESS-SERVER#conf t >Command authorization failed. > >ACCESS-SERVER# > >TACACS server is very powerful and flexible. However, Cisco >TACACS Freeware doesn't have a lot of documentation so >your learning curve might be steep. It takes me a while to learn it >since my Unix skill isn't that great to begin with. But I have to say >that this freeware is rock solid. > >Let me know if you have questions. > > >----- Original Message ----- >From: "IT Guy" >To: >Sent: Tuesday, November 27, 2001 4:18 AM >Subject: Typical Access Server setting [7:27437] > > > > Hi guys, > > > > Need your help to setup my Access server. > > I need to setup My Access server router(16 ports) such that two >different > > users can get different access rights when access the Rack routers > > (different routers)thorugh these Access server. > > For example I want User-A to give access to only Basic mode and restric >him > > by using enable mode or seeeing any configurations in Access server. > > On the other hand, I want other user to have full access.. > > > > Any idea how to setup this?? > > > > Thanks for help > > > > Tom > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27518&t=27437 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
