Change Privilege Levels at Runtime
Users can change their privilege levels at runtime. The privilege level determines what commands a user can access through TACACS+ server authorization.
A user can only use the tacacs switch level command, after TACACS+ authenticates the user. Locally authenticated users, which means users authenticated only by the switch and not by the TACACS+ server, cannot use the tacacs switch level command.
Before you begin
You need to configure separate profiles in the TACACS+ server configuration file for switch level. As part of the profile, you specify a user name, level, and password.
About this task
After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.
After you enable TACACS+ command authorization for a particular privilege level, and a user with that privilege level logs on, the user can access commands based on his user name.
Note
If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level to which you want to change.
Procedure
Example
Change the privilege level for a user at runtime. Return to the original privilege level:
Switch:1>enable Switch:1#configure terminal Switch:1(config)#tacacs protocol enable Switch:1(config)#tacacs switch level 5 Password:******
Return to the original privilege level:
Switch:1(config)#tacacs switch back
Variable Definitions
The following table defines parameters for the tacacs switch command.
Variable |
Value |
---|---|
level <1–15> |
Specifies the privilege level you want to access. You can change your privilege level at runtime by using this parameter. You are prompted to provide the required password. If you do not specify a level in the command, the administration level is selected by default. Note:
For switch level, you need to configure separate profiles in the TACACS+ server configuration file. As part of the profile, you specify a username, level, and password. To preconfigure a dummy user for that level on the TACACS+ daemon, the format of the username for the dummy user is $enab<n>$, where <n> is the privilege level to which you want to allow access. |
back |
Specifies that you want to return to the original privilege level. |