Privilege Level Changes at Runtime

You can change your privilege level at runtime with the tacacs switch level command.

You need to configure separate profiles in the TACACS+ server configuration file for the switch level. The switch supports only levels 1 to 6 and level 15. The switch uses the profile when you issue the command tacacs switch level <1–15>. As part of the profile, you specify a user name, level, and password. To preconfigure a dummy user for that level on the TACACS+ daemon, the format of the user name for the dummy user is $enab<n>$, where <n> is the privilege level to which you want to allow access.

The following is an example of a TACACS+ server profile, which you configure on the TACACS+ server:
user = $enab6$ { 
member = level6 
login = cleartext get-me-on-6
} 

The following table maps user accounts to TACACS+ privilege level.

Switch access level

TACACS+ privilege level

Description

NONE

0

If the TACACS+ server returns an access level of 0, the user is denied access. You cannot log into the device if you have an access level of 0.

READ ONLY

1

Permits you to view only configuration and status information.

LAYER 1 READ WRITE

2

Permits you to view most of the switch configuration and status information and change physical port settings.

LAYER 2 READ WRITE

3

Permits you to view and change configuration and status information for Layer 2 (bridging and switching) functions.

LAYER 3 READ WRITE

4

Permits you to view and change configuration and status information for Layer 2 and Layer 3 (routing) functions.

READ WRITE

5

Permits you to view and change configuration and status information across the switch. This level does not allow you to change security and password settings.

READ WRITE ALL

6

Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.

NONE

7 to 14

If the TACACS+ server returns an access level of 7 to 14, the user is denied access. You cannot log into the device if you have an access level of 7 to 14.

READ WRITE ALL

15

Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.

Note:

Access level 15 is internally mapped to access level 6, which ensures consistency with other vendor implementations. The switch does not differentiate between an access level of 6 and an access level of 15.

Note

Note

If you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, you enable different access levels, along with stronger password complexity, length, and minimum change intervals. With enhanced secure mode enabled, the switch supports the following access levels for RADIUS authentication:
  • Administrator

  • Privilege

  • Operator

  • Auditor

  • Security

The switch associates each username with a certain role and appropriate authorization rights to view and configure commands. For more information, see Enhanced Secure Mode.

TACACS+ command authorization

After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.

After you enable TACACS+ command authorization for a particular privilege level, and a user with that privilege level logs on, the user can access commands based on his user name.

TACACS+ switch level and TACACS+ switch back commands

The user can only issue the tacacs switch level command after TACACS+ authenticates the user. Locally authenticated users, which means users authenticated only by the switch and not by the TACACS+ server, cannot use the tacacs switch level command.

Consider a user, called X, with a privilege level of 4, who uses the tacacs switch level <1-15> command to change the privilege level from 4 to 6.

If user X successfully changes the switch level to 6, the user name changes from X to “$enab6$”, and the privilege level changes from 4 to 6. If TACACS+ command authorization is enabled for privilege level 6, then the TACACS+ server authorizes commands issued based on the rules defined for (dummy) user “$enab6$”.

If TACACS+ command authorization is not enabled for privilege level 6, then the switch locally authorizes the user X based on the privilege level of the user.

The user can return to his previous privilege level using the tacacs switch back command. In the preceding scenario, if the user issues the tacacs switch back command, the user name changes for user X from “$enab6$” to X, and the privilege level changes from 6 to 4.

TACACS+ switch level supports up to eight levels, and TACACS+ switch level allows a user to switch level up to eight times from his original privilege level. The switch stores all of the previous privilege levels in the same order in which the user switches levels. After switching eight times, if the user tries to switch a level the ninth time, the following error message displays:

Only allowed to switch level 8 times!

The user can switch back to his previous privilege levels using the tacacs switch back command. The tacacs switch back command switches back in the reverse order in which you issued the tacacs switch level command. Consider a user who switched levels from 4 to 5, and then to 6. If the user used the tacacs switch back command, the user first moves from 6 to 5, and then using the tacacs switch back command again moves from 5 to 4.

Note

Note

If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level that you want to change.

TACACS+ switch level functionality:

The following table explains TACACS+ switch level functionality.

User logs in with

TACACS+ server available

Result

TACACS+ authentication

Yes

The user can issue the tacacs switch level <1–15> command.

Local authentication

No

The user cannot issue the tacacs switch level <1–15> command.

Local authentication

Yes

Even if a TACACS+ server becomes reachable, the user remains locally authenticated and cannot issue the tacacs switch level <1–15> command.

TACACS+ command authorization functionality:

The following table explains TACACS+ command authorization functionality.

User logs in with

Command authorization

Result

Local authentication

The switch authorizes the user locally.

TACACS+ authentication

Not enabled for the logged-in level.

The switch authorizes the user locally. If the server connection is lost, the switch authorizes the user locally.

TACACS+ authentication

Enabled for the logged-in level.

The TACACS+ server authorizes the user. If the server connection is lost, the user can only issue exit and logout commands.

Note

Note

A user who configures TACACS+ is locally authenticated and authorized by the switch, so even after the user configures TACACS+, the switch continues to locally authorize the user.