Remote authentication access levels

Discussion created by bwarfield on Apr 17, 2018
Latest reply on Apr 17, 2018 by fvalcho

In the spirit of sharing knowledge for others to more easily find, I'd like to share a brief correspondence I had this morning with another user regarding access-levels when authenticating with a radius or tacacs server.


The question (paraphrased):  Users are able to log in using server credentials but receive diag level access.  How can I specify other access levels?  


This question is referring to the level of access and what commands a user is allowed to run.  The user's current level can be shown with the "user whoami" command



lab-5140> user whoami
username: testuser access-level: diag


This is controlled by the response from the authentication server with a level.  Through some experimentation and testing different values, these are what I've found to work:


1: limited

2-9: admin

10-14: super

15: diag


There are many different variations of servers out there and I can't provide details on how to configure them all.  But I will include what's working for me in using tacacs_plus on ubuntu 16.04.  This is the section of interest in the tac_plus.conf file:


group = admins {
login = file /etc/passwd
service = exec {
priv-lvl = 15


Hope this helps!