9/19/2002 9:40pm Thursday You could just tell your LAN admins not to change anything on the switches.
""Newell Ryan D SrA 18 CS/SCBT"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Evening group, > > What I have a TACACS server and the setup we are trying to achieve goes as > follows: > I want the LAN admins to have minimal control on there switches in there > area. We have > accomplished that one the vty ports. Here is the config: > > Server > user=test > password=test12 > service-shell > set priv-level=15 > service=shell > default cmd=(permit/deny)And the commands we want are here. > prohibit cmd=x > cmd=y{ > > Switch > > aaa new-model > aaa authentication login telnet group tacacs+ line none > aaa authorization exec privilege group tacacs+ none > aaa authorization commands 15 cmd group tacacs+ none > line con 0 > exec-timeout 5 0 > password 7 xxxxxxxxxxxxxxxxx > authorization commands 15 cmd > authorization exec privilege > login authentication telnet > transport input telnet > stopbits 1 > line vty 0 4 > exec-timeout 5 0 > authorization commands 15 cmd > authorization exec privilege > login authentication telnet > transport input telnet > > It works great for vty but not for console. I read somewhere about a hidden > authorization command for console but it is not working. Here is a debug. > xxxxxxxxxxx#debug aaa authorization > *Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 > *Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1 > *Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 > port=0 channel=0 > *Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 > *Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted > *Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 > *Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 > Failed attempts for console > *Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1 > *Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 > port=2 channel=0 > *Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser='' > port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1 > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2' > list='privilege' service=EXEC > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test' > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd* > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege" > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+ > (tacacs+) > *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test > *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell > *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd* > *Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status = > PASS_ADD > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd* > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful > Passed attempts for console > I think my understanding of exec shell is what's hurting me. Any comments or > advice would be greatly appreciated. > > > > > > > Ryan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53672&t=53661 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
