aaa authorization exec default local group tacacs+In Cisco IOS, a user may be assigned a privilege level from 1 to 15 for accessing a device. Each privilege level may be configured to do different things, but the most simple and common practice is likely that a user is given level 1 privilege, which by default only allows the user to do things like showing status, etc. When a user needs to change configuration on the device, he or she may use the enable command to gain the proper privilege, usually level 15.
There are a couple of ways for that privilege elevation to be authorized. One common way is to configure an enable secret on devices. The argument is that the device could be configured even when it loses connection to an authentication/authorization (AAA) server.
But on the other hand, if one by mistake messes up the enable secret configuration on a device, having an alternative authorization route allows that mistake to be fixed relatively easily without having to physically visit the device, provided that the only thing wrong on it is the enable secret and it is still talking to the AAA servers.
That leads to the IOS command line above: It says to try the local enable secret first when a user asks for the enable privilege level; If that fails, try the TACACS+ server(s) configured in the device.
References:
No comments:
Post a Comment