AAA - exec priv levels

Hi,
The followings are from the Yusuf bible. I think some of you had read and configured all that labs, so I really hope it's just a simple question for you.
So, In Chap. 1 / Section 7.1:
"Configure two users: (user1) - with priv lvl 10, and user2 w/ priv. level 15. Configure such that user1 is able to sun the command show run only, and user2 is able to run all commands."
The solution is (- per the configs on cd):
privilege exec level 10 show run
privilege exec level 15 show
Prevously I thought that if you move the show command with any argument (here show run) to a specific level, than you move 'show run' and all show commands too to that specific level. In the abovementioned two lines, the second command overwrites the previous statement. It is true, that the show run command moves to priv lvl 10, but the next one moves all the show commands back to level 15.
Please correct me if I am wrong.
In fact I am far from being happy with that. My real question is:
Is it possible at all to solve the task with local command authorization? (If yes, how? :D)
Maybe I|m just blind to see something in the config - that's not the first time... :D
Thank you for your help!
Bests,
SubAa

Hi SubAa,
The 'privilege exec level 15 show' command is incorrect, it shouldn't be there. Remvoe it and it will work. I have added the correction to the errata list.
Thanks,
Yusuf

Similar Messages

Tacacs authorization and Priv levels

Hi
I'm strugling with TACACS+ and priv levels, and hoping someone out there can help me solve an issue.
So, in this enviroment we need the following:
Read-only users
Users with access to some configuration commands.
Okay, the TACACS configuration for the read-only users looks like this:
group = readonly-users {
   default service = deny
   cmd = show
      permit running-config
      permit interface
      permit privilege
      permit vlan
      deny .*
   service = exec
      priv-lvl = 15
# Note that priv lvl 15 has been set to allow the users to run the "show running-config", all other commands than the one mentioned is denied.
The TACACS configuration for the Users with configuration access looks like this.
group = restricted-user {
   default service = deny
   cmd = show
      permit interface
      permit vlan
      permit privilege
      deny .*
   service = exec
      priv-lvl = 7
And the following has been configured on the switches to allow further configurations, these commands we had to enable after I had made the previous read-only user in tacacs:
privilege interface level 7 switchport access vlan
privilege interface level 7 switchport mode access
privilege interface level 7 switchport voice vlan
privilege configure level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 show running-config
privilege exec level 7 write memory
It all worked just fine, the read-only users only had access to the commands configured in TACACS. But when I configured the users with configuration access and enter the privilege commands on the switch it stopped working.
Somehow the privilege commands on the switch applies to all privilege levels above lvl 7. Meaning that my read-only users with priv lvl 15, all commands exept show commands denied, they can suddenly enter priviledged exec mode because I allowed the priv lvl 7 users to enter it.
This does not make sense to me, because I've read on cisco's HP that when configuring privilege level commands on the equipment, you allow only that level to access the command, and not all above.
I hope someone can help me with this issue, and it should be solved in the TACACS configuration, because the TACACS server is controlling over 500 switches and routers. So it aint just a question of reconfiguring the switches, that would take the rest of 2011.
I hope you guys know the answer to this.
Thanks in advance.
Kind regards

Thanks for your answer.
Well when I started to configure this TACACS setup, I tried to create 2 profiles with privilege level 15 and just allow/deny the different commands. But the thing is that you cannot allow all commands in the TACACS configuration. For example, you cannot give a user privilege level 15 and deny all commands, but allow the user to configure VLANs on interfaces, and duplex settings which is what I want the users to be able to do.
That's why I needed to configure the commands to be accessable from privilege level 7 on the equipment.
If only I could create a profile with privilege level 15 and give the user access to the commands he needs, and only those from the TACACS configuration file, that would make it allot easier, but that just aint the way TACACS works, unfortunately.

Command priv level change

Is possible to change privelege level for certain commands?? For example move ping command only to user in level 15
M.

privilege exec level 15 ping

Aaa accounting commands levels

Hello,
I am confused on aaa accounting. If I wish to account all commands and the levels I have configured are say 5 and 15, do I need to include level 0 in my aaa accounting commands?

Hello,
By default on IOS devices we have three commands distributed over three privilege levels i.e.,
Level 0
Level 1, and
Level 15.
If you explicitly donot change the privilege level of command(s), then only commands that you require to enter in an IOS device to monitor all commands executed over device is:
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
I have defined TACACS+ as the as the accounting server, as it jells best for adminstrative purposes i.e. Shell Command authorization
Let me know if this clarifies your doubt :)

Tacacs AAA and privilege level 7

I've setup a group on tacacs server called acsrestricted and mapped it to AD security group. I've set this group to privilege level 7 on tacacs server.
I need this group to view the "show run" config on a router. Privilege level 7 allows the user to use some other show commands but not "show run". How can i configure this on tacacs?

Michael
I am not sure that I am understanding your post correctly. As I understand it you have created a group for some users who would operate at privilege level 7. I gather that this works and that users in this group do authenticate and are assigned to privilege level 7. You say that some show commands are assigned to them but not the show run command. This would seem to be simple to solve - you make sure that show with a parameter of run is assigned to them. But there is something not simple that makes this not work. Part of the Cisco implementation of privilege levels is that in show run a user can not view any parameter that they do not have permission to change.
Perhaps it might work for your situation if you give those users access to show config. show config does not have the same restriction as show run.
HTH
Rick
Sent from Cisco Technical Support iPad App

TACACS Authorization of Web Interface on Aironet 1200 AP

I have the Aironet 1200 AP setup to authenticate and perform authorization for the CLI via TACACS. That is working fine.
However, the web interface is failing "ip http authentication". (Slight caveat - it works for a local user in the local AP DB - it does not work when it goes to CiscoSecure ACS to authenticate/authorize).
I can get to some pages (prompt and pass authentication), but certain pages (e.g. Services>>SNMP) where configuration steps are taken cause a second prompt is presented, username and password is provided, and it fails.
This is only evident from the output of a "debug ip http authentication"
What do I need to configure in ACS to make this work?
Relevant portion of config:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
no ip http server
ip http authentication aaa
ip http secure-server
Sep 7 13:40:59.885: HTTP AAA picking up console Login-Authentication List name: default
Sep 7 13:40:59.885: HTTP AAA picking up console Exec-Authorization List name: default
Sep 7 13:40:59.909: HTTP: Authentication failed for level 15
Sep 7 13:41:06.757: HTTP AAA picking up console Login-Authentication List name: default
Sep 7 13:41:06.757: HTTP AAA picking up console Exec-Authorization List name: default
Sep 7 13:41:06.780: HTTP: Authentication failed for level 15
This document appears to describe a scenario similar to mine, but is for http - not HTTPS:
Local Authentication for HTTP Server Users
http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac-win
Any ideas what I may be missing here?
Thanks,
Jeff

I found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:
CiscoSecure ACS:
Group Settings
Shell (exec)
Priv Level = 15
On the AP:
had to enable:
ip http authentication aaa login-authentication AP_Web (Named Method List)

SSL for Web interface of Aironet 1200

IS there a way to enable SSL or any security for the web interface of the Aironet APs?

I found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:
CiscoSecure ACS:
Group Settings
Shell (exec)
Priv Level = 15
On the AP:
had to enable:
ip http authentication aaa login-authentication AP_Web (Named Method List)

AAA authorization show run in priv 7

Hi,Any one can help...
I have set up AAA on my network.
aaa authentication login default group tacacs+ group security local
aaa authorization exec default group tacacs+ group security local
aaa accounting exec default start-stop group tacacs+ group security
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 xyz
I want set prvilige on group basis.
I have created a group called test in ACS server and set comnand authorization on pergroup basis
& added show command with permit running-config as arguments.
My objective is give the user of test group priv level 7 but they can use show running-config.
Any help?
thanks in advance

Hi,
Thanks for your reply.It's nearly the exact what I wanted.However show running-config only shows like these
7206a#sh run
Building configuration...
Current configuration : 53 bytes
boot-start-marker
boot-end-marker
end
However #Show config
shows the proper running-config
Thanks

ASDM and privilege level (using TACACS)

Hi experts,
Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
     On CLI:     perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
     On CLI:     lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
     On CLI:     lose enable access (same as config 2)
     On ASDM:     unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question:     Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
     On CLI:     acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
     On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.

Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
     --> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
     --> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
     --> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
     --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
     (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
     --> now I can't get admin access on ASDM: OK
     --> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks

Enabling Privilege Levels when ACS is Down

Hi,
I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.
adminro is read only and will have a privilege level of 7.
adminrw is a full access account with a priv level of 15.
I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:
PPD-ELPUF5/pri/act> en 7
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.
If I login using "enable", my read only account now has full configuration access which is not desireable.
My AAA configuration is as follows:
aaa authentication ssh console ADMIN LOCAL
aaa authentication enable console ADMIN LOCAL
aaa authentication http console ADMIN LOCAL
aaa authentication telnet console ADMIN LOCAL
aaa authentication serial console ADMIN LOCAL
aaa authorization command ADMIN LOCAL
aaa accounting ssh console ADMIN
aaa accounting command privilege 15 ADMIN
aaa accounting enable console ADMIN
aaa accounting serial console ADMIN
aaa accounting telnet console ADMIN
aaa authorization exec authentication-server
username adminro password <REMOVED> encrypted privilege 7
username adminrw password <REMOVED> encrypted privilege 15
enable password <REMOVED> level 7 encrypted
enable password <REMOVED> encrypted
Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).
Thanks!

PPD-ELPUF5/pri/act# sh curpriv
Username : adminro
Current privilege level : 7
Current Mode/s : P_PRIV
Server Group:    ADMIN
Server Protocol: tacacs+
Server Address: 1.150.1.80
Server port:     49
Server status:   FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011
Number of pending requests              0
Average round trip time                 2ms
Number of authentication requests       38
Number of authorization requests        373
Number of accounting requests           149
Number of retransmissions               0
Number of accepts                       307
Number of rejects                       19
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      234
Number of unrecognized responses        0
PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE
PPD-ELPUF5/pri/act(config)# sh run name
name 1.1.1.1 TEST description TEST CHANGE
As you can see above, my user was able to perform a change even though it should not be allowed.
PPD-ELPUF5/pri/act(config)# sh run privilege
privilege cmd level 7 mode exec command show
privilege cmd level 7 mode exec command ping
privilege cmd level 7 mode exec command traceroute

FWSM: AAA authentication using TACACS and local authorization

Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.

You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK

Help with http login privilige levels. Aironet AP-1100.

In CLI we have users log in at priv 1 and use "enable" to increase privilege and do configurations. This allows "accounting" of command history.
On the AIR-AP1121G-A-K9 (12.3(8)JED1) I cannot duplicate this for http login.
I can log in as a user at priv 1. When I try to go to a privileged link like "Security" I get prompted for a second login/pw. Nothing works here unless I have a second user defined at priv 15 and enter that login/pw. The problem is - that login/pw can be used to log in via http in the first place which bypasses accounting of the actual user. It also allows login to the CLI at priv 15 which I cannot permit.
To test I'm trying to use the most simple tests. No https, no radius, etc.
After extensive reading of documens and forums I am using this:
username test1 secret 5 abcdxxx
username test2 privilege 15 secret 5 efghxxx
enable secret 5 ijklxxx
aaa new-model
<--omit wireless stuff-->
aaa authentication login default local
aaa authorization exec default local
aaa authentication login HTTPonly local
aaa authorization exec HTTPonly local
aaa authorization commands 15 HTTPonly local
aaa cache profile admin_cache
all
aaa session-id common
ip http server
ip http authentication aaa login-authentication HTTPonly
ip http authentication aaa exec-authorization HTTPonly
ip http secure-server

I'm thinking that maybe it can't be done. I was trying to have the AP require a user level login and then require a second "enable" password for enable privileges - with "straight to enable" not possible from the initial login.
Here are some more attempts:
(p1 = user with default privileges, p15 = user defined with privilege 15)
(step up = can authenticate when some gui links result in secondary login dialog)
aaa authentication login default local
ip http server
no ip http secure-server
---Only allows login with no login name, just enable pwd---
aaa authentication login default local
ip http server
ip http authentication local
---Allows login with p1 or p15. Only p15 works for step-up---
aaa authorization exec http1 if-authenticated
aaa authorization commands 15 http1 local
ip http server
ip http authentication aaa exec-authorization http1
---Allows login with p1 or p15 user but no step-up if p1---
aaa authentication login default local
aaa authorization exec default local
aaa authorization exec http1 local
aaa authorization commands 15 http1 local
ip http server
ip http authentication aaa exec-authorization http1
---Allows login with p1 or p15 user but no step-up if p1---
aaa authentication login http1 enable
aaa authorization exec http1 local
aaa authorization commands 15 http1 local
ip http server
ip http authentication aaa login-authentication http1
ip http authentication aaa command-authorization 15 http1
no ip http secure-server
---Allows login with p1 or p15 only if using enable pw but no step-up if p1---

Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
So I am trying to get TACACS+ auth to work for my ACE.
The command string that I have on the ACE is as follows:
tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
aaa group server tacacs+ tacacs+
server 172.16.101.4
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa accounting default group tacacs+ local
But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
I do not know how to do this on the ACS 5.1.0.44.
Anyone know?
TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
Thanks for your reply. About this question:
shell:<Context>*<Role> <Domain>
What I meant is that you need to check the following couple of things on
your ACS server in order to have AAA Tacacs users to login into the
ACE over the context with superuser ritghts.
Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
‑> enable Custom attributes ‑> right below this part you need to
use the following sintax to link the ACE context that this user
has access to.
For example:
shell:<Context>*<Role> <Domain>
shell:Admin*Admin default‑domain
Where this user will have access to the Admin context with the role
admin using the 'default‑domain'

Wilfred,
What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
Thanks,
Tarik Admani

Cisco AAA authentication with windows radius server

Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
   Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
                ^
   % Invalid input detected at '^' marker.
   Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
   Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
   Current privilege level is 15
   Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.

I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

AAA and CNA?

I am trying to configure a 3750 switch for AAA? Telnet and SSH work fine but CNA and HTTP is not working. Both SSH and Telnet need to authenticate using RADIUS but CNA/HTTP needs to authenticate using a local account because the local administrator only uses the CNA for management and the admins in TACACS use CLI. Here is what I have so far.
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication login con line
aaa authentication login http_auth local enable
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization exec http_auth local
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 http_auth local
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication http_auth
ip http authentication aaa exec-authorization http_auth
ip http authentication aaa command-authorization 15 http_auth
tacacs-server host X.X.X.X
tacacs-server directed-request
tacacs-server key 7 XXXXX
The debugs show the connection authenticating correctly.
170536: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170537: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170538: 48w1d: AAA/BIND(000003FA): Bind i/f
170539: 48w1d: AAA/AUTHEN/LOGIN (000003FA): Pick method list 'http_auth'
170540: 48w1d: AAA/AUTHOR (0x3FA): Pick method list 'http_auth'
170541: 48w1d: HTTP: Priv level authorization success priv_level: 15
170542: 48w1d: HTTP: Priv level granted 15
170543: 48w1d: AAA/BIND(000003FB): Bind i/f
170544: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170545: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170546: 48w1d: AAA/BIND(000003FC): Bind i/f
170547: 48w1d: AAA/AUTHEN/LOGIN (000003FC): Pick method list 'http_auth'
170548: 48w1d: AAA/AUTHOR (0x3FC): Pick method list 'http_auth'
170549: 48w1d: HTTP: Priv level authorization success priv_level: 15
170550: 48w1d: HTTP: Priv level granted 15
170551: 48w1d: AAA/BIND(000003FD): Bind i/f
170552: 48w1d: AAA: parse name=tty0 idb type=-1 tty=-1
170553: 48w1d: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
170554: 48w1d: AAA/MEMORY: create_user (0x632D26C) user='granto-mark' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
170555: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Port='tty0' list='' service=CMD
170556: 48w1d: AAA/AUTHOR/CMD: tty0 (1941738464) user='granto-mark'
170557: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV service=shell
170558: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd=show
170559: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=version
170560: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=<cr>
170561: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): found list "default"
170562: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Method=LOCAL
170563: 48w1d: AAA/AUTHOR (1941738464): Post authorization status = PASS_ADD
170564: 48w1d: AAA/MEMORY: free_user (0x632D26C) user='granto-mark' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1
170565: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170566: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170567: 48w1d: AAA/BIND(000003FE): Bind i/f
170568: 48w1d: AAA/AUTHEN/LOGIN (000003FE): Pick method list 'http_auth'
170569: 48w1d: AAA/AUTHOR (0x3FE): Pick method list 'http_auth'
170570: 48w1d: HTTP: Priv level authorization success priv_level: 15
170571: 48w1d: HTTP: Priv level granted 15
170572: 48w1d: AAA/BIND(000003FF): Bind i/f
170573: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170574: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170575: 48w1d: AAA/BIND(00000400): Bind i/f
170576: 48w1d: AAA/AUTHEN/LOGIN (00000400): Pick method list 'http_auth'
170577: 48w1d: AAA/AUTHOR (0x400): Pick method list 'http_auth'
170578: 48w1d: HTTP: Priv level authorization success priv_level: 15
170579: 48w1d: HTTP: Priv level granted 15
170580: 48w1d: AAA/BIND(00000401): Bind i/f
Any help would be appriciated.
Thanks,
Robert

Good day.
Have you made any progress? I currently have an issue similar to yours with the IOS upgrade. Please see the link below to my discussion.
Sincerely,
Marc
https://supportforums.cisco.com/message/3562335#3562335

AAA - exec priv levels

Similar Messages

Maybe you are looking for