Aaa authorization and show logging command

Hello Guys,
I am running IOS 15 on some routers and using ACS version 5.3.0.40.5 for authentication and authorization.
I would like to have a group of users not be able to access the configuration mode but issue all show commands.
However, the show logging command does not seem to work in user mode.
Any ideas or work arounds are welcome.
thanks in advance.

Hello,
There is no contradiction. You can be a level 15 access and deny or permit access to whatever commands that you want.
I am using ACS where everyone have level 15 access but some of them can only use show commands (no conf t).
You can configure things the same way by allowing everyone level 15 access and allow or deny whatever commands you want.
let me know if you need extra help.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Similar Messages

  • Show log command on 4500

    Dear all,
    If I do a show log command on switch it starts showing logs which are several months old.
    How can I filter those to show only last month log -like pipe is one way or anything to be set on switch.
    Also if I do sh log and if it starts showing logs for last 6 months then i can't break it and hence might b causing overhead.
    Please advise.
    Sent from Cisco Technical Support iPhone App

    Hi,
    I believe there is no other options to view the logs options apart from using the pipe filter.
    or we can tune the logging level in such a way to capture only the interested message by applying the below options.
    There are eight levels of logging. If you specify a particular level of logging for console logging, for example the messages of that level and of the higher levels (numerically lower) are forwarded to the console.
    Level
    Logging Message
    0
    Emergencies
    1
    Alerts
    2
    Critical
    3
    Errors
    4
    Warnings
    5
    Notifications
    6
    Informational
    7
    Debugging
    Router(config)# logging monitor error
    Now let us discuss the anatomy of the logging messages. Each message is associated with one of the eight levels of logging, which is referred to as the severity of the message
    Level Name
    Severity
    Description
    Syslog Definition
    Emergencies
    0
    System unusable
    LOG_EMERG
    Alerts
    1
    Immediate action needed
    LOG_ALERT
    Critical
    2
    Critical conditions
    LOG_CRIT
    Errors
    3
    Error conditions
    LOG_ERR
    Warnings
    4
    Warning conditions
    LOG_WARNING
    Notifications
    5
    Normal significant conditions
    LOG_NOTICE
    Informational
    6
    Informational messages only
    LOG_INFO
    Debugging
    7
    Debugging messages
    LOG_DEBUG
    Hope this helps
    Cheers
    Somu
    Rate helpful posts

  • Privilege mode disable the show logging command

    any one pls advice how to disable the show logging command through the privilege

    Pls see this link,
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Acs4.1 & aaa authorization & permit show

    Selam,
    I want to deny all commands except "show run" for a group and for all network devices.
    So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")
    than I used commands which you can see below:
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)
    what can be the problem?
    Thanks
    Ozlem

    create another shell command authorization set for full access group and configure it for "unmatched commands - permit"
    and do not enter any command for it.
    That will work for you.
    ~Rohit

  • AAA authorization fails, but still command is executed...

    Hi everyone,
    i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
    Now I try to configure a loopback or Vlan interface, which should not be allowed.
    COMMANDS IMPLEMENTED:
    aaa authorization config-commands
    aaa authorization commands 0 vty group tacacs+ none
    aaa authorization commands 1 vty group tacacs+ none
    aaa authorization commands 15 vty group tacacs+ none
    line vty 0 15
    authorization commands 0 vty
    authorization commands 1 vty
    authorization commands 15 vty
    COMMAND AND OUTPUT FROM TESTING:
    SWITCH(config)#int vlan 2
    Command authorization failed.
    DEBUG AAA AUTHORIZATION:
    SWITCH#
    Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
    Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
    Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
    'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
    Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
    Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
    Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
    em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
    As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
    RESULT:
    SWITCH#sh run int vlan 2
    Building configuration...
    Current configuration : 38 bytes
    interface Vlan2
    no ip address
    end
    QUESTION:
    I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
    But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
    Is this me not understandig the basic concept of AAA or is this some other problem?
    The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
    The Tacacs runs Cisco Secure ACS4.2.0.124
    Thanks,
    Tom

    Hi Tom,
    this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
    The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
    As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
    You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
    hth
    Herbert

  • AAA authorization and accounting

    Hello everyone.
    I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
    1) aaa authorization exec and aaa authorization command option.
    2) aaa accounting exec and aaa accounting command option.
    Many thanks.
    Sent from Cisco Technical Support Android App

    Hello,
    1) aaa authorization exec and aaa authorization command option.
    The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.
    The second one authorizes the different commands a user can type and send to the device
    2) aaa accounting exec and aaa accounting command option.
    The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)
    Second one sends an accounting message per each command send to the box
    Check my blog at http:laguiadelnetworking.com for further information.
    Cheers,
    Julio Carvajal Segura

  • Unable to allow "show configuration" command

    ACS is being used for AAA Authorization, and I have allowed a user to run "show command" but the ACS server always fails the request "saying command unknown"

    Please get logs
    debug aaa authorization
    and aaa command you have in switch
    Regards,
    ~JG

  • "show logging" not available in privilege 7 anymore

    Hi,
    I am encoutering an issue on some Catalysts 3750/3560/2960 on IOS 12.2(55). Users logged on privilege 7 can't use the "show logging" command anymore. The command vas available on previous IOS like 12.2(50).
    I fixed it with the command "privilege exec level 7 show logging" but I wanted to know if it was intentional or not, as I couldn't find anything about a change on the privilege 7 rights int any of the Cisco's release notes between 12.2(50) and 12.2(55).
    Do anyone know about that ?

    This was implemented as a security feature. Take a look at:
    CSCsl61281
    https://supportforums.cisco.com/discussion/10624981/change-privilege-level-command-show-logging
    Thank you for  rating helpful posts!

  • Aaa authorization subscriber-service default group

    Dear All
    I am configuring Broadband  RAS over PPPoe on Cisco 7206 ( IOS  12.2(33) SRD).
    some   commands i am not able to run like
    aaa   authorization subscriber-service default group AAA-SERVERS
    aaa server radius sesm
    scenario is   like this
    END   User-> Broadband RAS->(Management software with DHCP  server)->  Bandwidth manager-> core Router -> Internet
    Broadband   RAS will manage All internet user with the help of management software.
    please  help  me
    vikas

    Hi
    The Output that you post System image file is "disk2:c7200p-ipbase-mz.124-15.T9.bin" not support this feature.
    The Below IOS Support the AAA Authorization and Authentication Cache , AAA server group  & These are IPBase W/O Crypto
    15.0(1)M2
    c7200-ipbase-mz.150-1.M2.bin
    512
    64
    15.0(1)M1
    c7200-ipbase-mz.150-1.M1.bin
    512
    64
    15.0(1)M
    c7200-ipbase-mz.150-1.M.bin
    512
    64
    12.2(33)SRE1
    c7200-ipbase-mz.122-33.SRE1.bin
    512
    64
    12.2(33)SRE
    c7200-ipbase-mz.122-33.SRE.bin
    512
    64
    12.2(33)SRD4
    c7200-ipbase-mz.122-33.SRD4.bin
    128
    64
    12.2(33)SRD3
    c7200-ipbase-mz.122-33.SRD3.bin
    128
    64
    12.2(33)SRD2a
    c7200-ipbase-mz.122-33.SRD2a.bin
    128
    64
    12.2(33)SRD2
    c7200-ipbase-mz.122-33.SRD2.bin
    128
    64
    12.2(33)SRD1
    c7200-ipbase-mz.122-33.SRD1.bin
    128
    64
    12.2(33)SRD
    c7200-ipbase-mz.122-33.SRD.bin
    128
    64
    12.2(33)SRC6
    c7200-ipbase-mz.122-33.SRC6.bin
    128
    64
    12.2(33)SRC5
    c7200-ipbase-mz.122-33.SRC5.bin
    128
    64
    12.2(33)SRC4
    c7200-ipbase-mz.122-33.SRC4.bin
    128
    64
    12.2(33)SRC3
    c7200-ipbase-mz.122-33.SRC3.bin
    128
    64
    12.2(33)SRC2
    c7200-ipbase-mz.122-33.SRC2.bin
    128
    64
    12.2(33)SRC1
    c7200-ipbase-mz.122-33.SRC1.bin
    128
    64
    12.2(33)SRC
    c7200-ipbase-mz.122-33.SRC.bin
    128
    64
    Regards
    Chetan Kumar

  • ACE Sticky Connections, Show Conn Output and Show serverfarm

    Hi Community,
    I'm deploying a Cisco ACE module and I have some questions about sticky connections and about the output of the show conn command and show serverfarm command.
    I have the follwoing configuration:
    rserver host srv_1  ip address 10.4.11.14  inservicerserver host srv_2  ip address 10.4.11.18  inserviceserverfarm host farm_144  rserver srv_1 144    weight 1    inservice  rserver srv_2 144    weight 3    inservice
    sticky ip-netmask 255.255.255.255 address source st_host144
      timeout 10080
      serverfarm farm_144
    class-map match-all vip_144
      2 match virtual-address 10.4.11.208 tcp eq 143
    policy-map type loadbalance first-match lb_144
      class class-default
    policy-map multi-match policy_vip_webcache
      class vip_webcache_144
        loadbalance vip inservice
        loadbalance policy lb_144
        loadbalance vip icmp-reply active
        nat dynamic 411 vlan 411
    We can assume that service policy was applied at the interface vlan. So, let's go to the questions:
    1- If sticky is enabled the output command "show conn" should show just one entry by ip address?
    The real output is:
    DC01-ACE-01-PRIMARY-SW1/context_servidores# show conn | inc :143333046     1  in  TCP   411  10.2.158.87:3616      10.4.11.208:143       ESTAB 286390     3  in  TCP   411  10.2.158.87:3562      10.4.11.208:143       ESTAB310233     1  in  TCP   411  10.1.5.87:3424        10.4.11.208:143       ESTAB
    Look that the ip address 10.2.158.87 is shown 2 times. In same times, the same ip address is shown 4 times to the same VIP and the same port. Is it a normal behavior?
    2- According to the configuration, the srv_2 has weight 3 and srv_1 has weigth 1, but the output of show serverfarm show somethin strange:
    DC01-ACE-01-PRIMARY-SW1/context_servidores# show serverfarm farm_144 serverfarm     : farm_144, type: HOST total rservers : 2 state          : ACTIVE DWS state      : DISABLED ---------------------------------                                                ----------connections-----------       real                  weight state        current    total      failures    ---+---------------------+------+------------+----------+----------+---------   rserver: srv_1       10.4.11.14:144        1   OPERATIONAL     11         386        0   rserver: srv_2       10.4.11.18:144        3   OPERATIONAL     35         66         0
    We can see that the weight is working good, but the total of connections is higher at srv_1 than srv_2. Why?
    Somebody can help me to understand better this problem of if its a normal behavior?
    Thanks in advance!!

    Hi Gaurav,
    About question 1, I got some informations too. It's perfectly normal the client open 2 or more connections at the same time. The client's application is the responsable. We removed the ACE and put the client directly to the server and the result of the total connections opened was the same.
    About question 2, I made some "clears" on the serverfarm, the sticky database and after that, the numbers were more real.
    DC01-ACE-02-SECONDARY-SW1/context_servidores# sh serverfarm farm_webcache_144
    serverfarm     : farm_webcache_144, type: HOST
    total rservers : 2
    state          : ACTIVE
    DWS state      : DISABLED
                                                    ----------connections-----------
           real                  weight state        current    total      failures
       ---+---------------------+------+------------+----------+----------+---------
       rserver: srv_webcache_1
           10.4.11.14:144        1   OPERATIONAL     1025       15499      4436
       rserver: srv_webcache_2
           10.4.11.18:144        2   OPERATIONAL     1794       33471      471
    DC01-ACE-02-SECONDARY-SW1/context_servidores#
    Anyway thank you very much for your feedback.
    Plínio Monteiro

  • Allow some show commands in AAA Authorization Set

    I'm working on creating AAA authorization sets for our environment and ran into a question!
    I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.
    Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
    ACS Version 4.1.
    Command set is configured:

    Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.
    On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
    aaa group server tacacs+ SHS
    server 10.10.11.200
    aaa authentication login verifyme group TACACS+ local
    aaa authorization config-commands
    aaa authorization exec verifyme group TACACS+ local
    aaa authorization commands 0 default group TACACS+
    aaa authorization commands 1 default group TACACS+
    aaa authorization commands 15 default group TACACS+
    aaa accounting send stop-record authentication failure
    aaa accounting exec verifyme start-stop group TACACS+
    aaa accounting commands 15 default start-stop group TACACS+
    aaa accounting network verifyme start-stop group TACACS+
    aaa accounting system default start-stop group TACACS+
    aaa session-id common
    Debugs!
    Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
    Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
    Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
    Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
    Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
    Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
    Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
    Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
    Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
    Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
    Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
    Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

  • Command Authorization Set Show Run Permissions Only

    Hi All,
    I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
    I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    and this doesn't work as intended.
    I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges!  I guess this is because I am specifying level 1 access but that's what the doc says to do.......
    My config is as follows:
    Cisco 2811 Router
    aaa new-model
    aaa authentication login defaut group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    ACS 4.2 Config
    Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
    User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
    Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
    Thanks in advance
    David

    All,
    I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place

  • Command execution get very slow when AAA Authorization enable on ASR 1006

    Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
    These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
    Did any one face such issue , and how it is fix ...
    See the Show version for ASR
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Thu 24-Mar-11 23:32 by mcpre
    Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
    All rights reserved.  Certain components of Cisco IOS-XE software are
    licensed under the GNU General Public License ("GPL") Version 2.0.  The
    software code licensed under GPL Version 2.0 is free software that comes
    with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
    GPL code under the terms of GPL Version 2.0.  For more details, see the
    documentation or "License Notice" file accompanying the IOS-XE software,
    or the applicable URL provided on the flyer accompanying the IOS-XE
    software.
    ROM: IOS-XE ROMMON
    NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
    Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
    System returned to ROM by reload
    System restarted at 17:47:32 IST Thu Oct 4 2012
    System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
    Last reload reason: EHSA standby down
    AAA Commands on ASR 1006
    aaa new-model
    aaa group server tacacs+ tacgroup
    server 10.48.128.10
    server 10.72.160.10
    ip vrf forwarding Mgmt-intf
    ip tacacs source-interface GigabitEthernet0
    aaa authentication login default group tacgroup local
    aaa authentication enable default group tacgroup enable
    aaa accounting exec default start-stop group tacgroup
    aaa accounting commands 1 default start-stop group tacgroup
    aaa accounting commands 15 default start-stop group tacgroup
    aaa accounting connection default start-stop group tacgroup
    aaa accounting system default start-stop group tacgroup
    aaa authorization commands 0 default group tacgroup none
    aaa authorization commands 1 default group tacgroup none
    aaa authorization commands 15 default group tacgroup none
    aaa session-id common
    tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
    tacacs-server key 7 053B071C325B411B1D25464058

    I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
    You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
    server 10.48.128.10
    server 10.72.160.10
    to
    server 10.72.160.10
    server 10.48.128.10
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • AAA authorization commands

    Hi All
    Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
    Following is my aaa part config
    username cisco privilege 15 secret cisco 
    aaa new-model
    aaa authentication login default local enable
    aaa authorization exec default local if-authenticated
    aaa authorization commands 15 default local if-authenticated
    Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
    Would really appreciate your quick reply
    Regards

    Thanx a lot for your quick response. Really appreciate that.
    So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
    that is following should be the config
    username cisco privilege 15 secret cisco 
    aaa new-model
    aaa authentication login default local enable
    aaa authorization exec default local if-authenticated
    privilege exec level 15 show   (just an example)
    privilege exec level 15 debug
    I have tested this and it worked fine without using "aaa authorization command level"
    Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  
    So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
    will really appreciate your kind response

  • AAA authorization show run in priv 7

    Hi,Any one can help...
    I have set up AAA on my network.
    aaa authentication login default group tacacs+ group security local
    aaa authorization exec default group tacacs+ group security local
    aaa accounting exec default start-stop group tacacs+ group security
    tacacs-server host x.x.x.x
    tacacs-server directed-request
    tacacs-server key 7 xyz
    I want set prvilige on group basis.
    I have created a group called test in ACS server and set comnand authorization on pergroup basis
    & added show command with permit running-config as arguments.
    My objective is give the user of test group priv level 7 but they can use show running-config.
    Any help?
    thanks in advance

    Hi,
    Thanks for your reply.It's nearly the exact what I wanted.However show running-config only shows like these
    7206a#sh run
    Building configuration...
    Current configuration : 53 bytes
    boot-start-marker
    boot-end-marker
    end
    However #Show config
    shows the proper running-config
    Thanks

Maybe you are looking for

  • Help, experiencing minor bugs in program

    this is supposed to use rectangles and you should be able to load and save and they have colors and do a few more things with them, the loading is where it doesn't work. *-------------------------------------------------------------- 80 columns ---|

  • A110 memory modules

    TOSHIBA EQUIUM A110 PSAB2E-008006AV. I have just replaced two memory modules both 516 mb with a 2gb module. Everything works fine. However, I have heard varying comments about maximum memory; I have been told that the maximum is 2gb, but I have heard

  • How do I install ilife after resetting my macbook to factory settings

    I reset my Macbook to factory settings with the one disc, then tried to download the ilife from the applications disc and it comes up with an error message and it won't install ilife.  What do I do?

  • How to use multiple aggregate functions in single query

    hi to all The output will be giving first_name,last_name,max(salary),min(salary) and the output will be department wise.From employees table in single query output will be: first_name|last_name|max(salary)|min(salary)

  • JDeveloper 10.1.3.4: text-align for table column has no effect

    Hi, I am using JDeveloper 10.1.3.4. In a tabe I have a column that displays numbers, which are left-aligned by default: Applied $50.00 $2,160.00 $50.00 $2,260.00I want to have them aligned to the right to look neater: Applied          $50.00       $2