Privilege Level Changes at Runtime

You need to configure separate profiles in the TACACS+ server configuration file for the switch level. The switch supports only levels 1 to 6 and level 15. The switch uses the profile when you issue the command tacacs switch level <1–15>. As part of the profile, you specify a user name, level, and password. To preconfigure a dummy user for that level on the TACACS+ daemon, the format of the user name for the dummy user is $enab<n>$, where <n> is the privilege level to which you want to allow access.

The following is an example of a TACACS+ server profile, which you configure on the TACACS+ server:

user = $enab6$ { 
member = level6 
login = cleartext get-me-on-6
} 

TACACS+ command authorization

After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.

After you enable TACACS+ command authorization for a particular privilege level, and a user with that privilege level logs on, the user can access commands based on his user name.

TACACS+ switch level and TACACS+ switch back commands

The user can only issue the tacacs switch level command after TACACS+ authenticates the user. Locally authenticated users, which means users authenticated only by the switch and not by the TACACS+ server, cannot use the tacacs switch level command.

Consider a user, called X, with a privilege level of 4, who uses the tacacs switch level <1-15> command to change the privilege level from 4 to 6.

If user X successfully changes the switch level to 6, the user name changes from X to “$enab6$”, and the privilege level changes from 4 to 6. If TACACS+ command authorization is enabled for privilege level 6, then the TACACS+ server authorizes commands issued based on the rules defined for (dummy) user “$enab6$”.

If TACACS+ command authorization is not enabled for privilege level 6, then the switch locally authorizes the user X based on the privilege level of the user.

The user can return to his previous privilege level using the tacacs switch back command. In the preceding scenario, if the user issues the tacacs switch back command, the user name changes for user X from “$enab6$” to X, and the privilege level changes from 6 to 4.

TACACS+ switch level supports up to eight levels, and TACACS+ switch level allows a user to switch level up to eight times from his original privilege level. The switch stores all of the previous privilege levels in the same order in which the user switches levels. After switching eight times, if the user tries to switch a level the ninth time, the following error message displays:

Only allowed to switch level 8 times!

The user can switch back to his previous privilege levels using the tacacs switch back command. The tacacs switch back command switches back in the reverse order in which you issued the tacacs switch level command. Consider a user who switched levels from 4 to 5, and then to 6. If the user used the tacacs switch back command, the user first moves from 6 to 5, and then using the tacacs switch back command again moves from 5 to 4.

Note

If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level that you want to change.

TACACS+ switch level functionality:

The following table explains TACACS+ switch level functionality.

TACACS+ command authorization functionality:

The following table explains TACACS+ command authorization functionality.

Note

A user who configures TACACS+ is locally authenticated and authorized by the switch, so even after the user configures TACACS+, the switch continues to locally authorize the user.