Hi, We do have router which currently authenticated to TACACS server but the issue is one of the acct. can execute the show running (limited output) and other acct. is not allowed to run/execute the command. Here's the configuration and result:
Config:
aaa authentication login default group AUTH local aaa authorization exec default group AUTH if-authenticated aaa authorization commands 1 default group AUTH if-authenticated aaa authorization commands 15 default group AUTH local if-authenticated aaa accounting commands 15 default stop-only group AUTH ROUTER#sh run | i privi privilege exec level 1 show spanning-tree privilege exec level 1 show logging privilege exec level 1 show startup-config privilege exec level 1 show running-config
Acct 1 - Successful but limited output
ROUTER>sh pri Current privilege level is 1 ROUTER>sh running-config Building configuration... Current configuration : 195 bytes ! ! Last configuration change at 07:17:43 GMT Thu Sep 5 2019 by robelar ! NVRAM config last updated at 07:18:23 GMT Thu Sep 5 2019 by robelar ! boot-start-marker boot-end-marker ! ! ! ! ! ! end
Question:
- For limited output from show run command is this because of the current priv. level which is 1?
A: This is by design and is part of the command security mechanisms in IOS. Even though you lower the required privilege level for the show running-config command, the output will never include commands that are above the user's privilege level. Since configuration commands are level 15 by default, the output will appear blank. If you lower specific commands to level 7, these will appear in the running-config when the command is issued by the privilege level 7 user.
Acct 2 - Not successful, Authorization failed
ROUTER>sh running-config Command authorization failed.
Question:
- For this, why Acct 2 can't even execute this "show run" command?
Thanks
No comments:
Post a Comment