Changing privilege levels at runtime

Users can change their privilege levels at runtime. The privilege level determines what commands a user can access through TACACS+ server authorization.

A user can only use the tacacs switch level command, after TACACS+ authenticates the user. Locally authenticated users, which means users authenticated only by the switch and not by the TACACS+ server, cannot use the tacacs switch level command.

Before you begin

  • You need to configure separate profiles in the TACACS+ server configuration file for switch level. As part of the profile, you specify a user name, level, and password.

About this task

After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.

After you enable TACACS+ command authorization for a particular privilege level, and a user with that privilege level logs on, the user can access commands based on his user name.

Note

Note

If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level to which you want to change.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Change the privilege level for a user at runtime:

    tacacs switch level <1–15>

  3. Return to the original privilege level:

    tacacs switch back

Example

Change the privilege level for a user at runtime. Return to the original privilege level:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs protocol enable
Switch:1(config)#tacacs switch level 5
Password:******

Return to the original privilege level:

Switch:1(config)#tacacs switch back

Variable Definitions

The following table defines parameters for the tacacs switch command.

Variable

Value

level <1–15>

Specifies the privilege level you want to access. You can change your privilege level at runtime by using this parameter. You are prompted to provide the required password. If you do not specify a level in the command, the administration level is selected by default.

Note:

For switch level, you need to configure separate profiles in the TACACS+ server configuration file. As part of the profile, you specify a username, level, and password. To preconfigure a dummy user for that level on the TACACS+ daemon, the format of the username for the dummy user is $enab<n>$, where <n> is the privilege level to which you want to allow access.

back

Specifies that you want to return to the original privilege level.

9037147-00 Rev AB