Evening group, What I have a TACACS server and the setup we are trying to achieve goes as follows: I want the LAN admins to have minimal control on there switches in there area. We have accomplished that one the vty ports. Here is the config:
Server user=test password=test12 service-shell set priv-level=15 service=shell default cmd=(permit/deny)And the commands we want are here. prohibit cmd=x cmd=y{ Switch aaa new-model aaa authentication login telnet group tacacs+ line none aaa authorization exec privilege group tacacs+ none aaa authorization commands 15 cmd group tacacs+ none line con 0 exec-timeout 5 0 password 7 xxxxxxxxxxxxxxxxx authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet stopbits 1 line vty 0 4 exec-timeout 5 0 authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet It works great for vty but not for console. I read somewhere about a hidden authorization command for console but it is not working. Here is a debug. xxxxxxxxxxx#debug aaa authorization *Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1 *Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 *Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted *Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 *Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 Failed attempts for console *Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1 *Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 *Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser='' port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2' list='privilege' service=EXEC *Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test' *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd* *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege" *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+ (tacacs+) *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd* *Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status = PASS_ADD *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd* *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful Passed attempts for console I think my understanding of exec shell is what's hurting me. Any comments or advice would be greatly appreciated. SrA Ryan Newell 18th Communications Squadron Infrastructure Engineer CCNA, SCP 634-7999 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53602&t=53602 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]