Indeed super-user priv on Foundry devices is 0 instead of 15 but that is only as far as the CLI input goes. On the server, it is still considered to be priv-lvl 15. Yes, it's counter-intuitive. For all other intents and purposes, they fully emulate Cisco devices. One thing you'll have to add to the device is this:<br>
<br>aaa authentication login privilege-mode<br><br>This tells the Foundry device to honor the enable-request for privilege escalation sent from the TACACS+ server.<br><br>Example of setting priv-lvl in service block:<br><br>
group = admin {<br> default service = permit<br> service = exec {<br> privl-lvl = 15<br> }<br>}<br>user = joe {<br> login = cleartext joe<br> member = admin<br>}<br><br>Full example Foundry AAA template:<br><br>aaa authentication login default tacacs+ enable none<br>
aaa authentication login privilege-mode<br>aaa authorization commands 0 default tacacs+ none<br>aaa authorization exec default tacacs+ none<br>aaa accounting commands 0 default start-stop tacacs+<br>aaa accounting exec default start-stop tacacs+<br>
aaa accounting system default start-stop tacacs+<br>tacacs-server host 1.2.3.4<br>tacacs-server host 2.4.6.8<br>tacacs-server key abc123<br>tacacs-server timeout 1<br>enable telnet authentication<br> <br>Good luck!<br><br>
<br><div class="gmail_quote">On Wed, Sep 2, 2009 at 11:25 AM, Jeff Wieland <span dir="ltr"><<a href="mailto:wieland@purdue.edu">wieland@purdue.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Our engineer reports that these switches use the privilege level<br>
backwards from Cisco -- 0 is for enable/superuser, 15 is the<br>
default for user logins. So, I'm thinking that I need a way to<br>
specify the priv-lvl on a per-device basis, or on an "service"<br>
basis assuming that I can figure out what service to use. Has<br>
anybody got one of these working?<br>
--<br>
Jeff Wieland | Purdue University<br>
Network Systems Administrator | ITN&S Data Networks<br>
Voice: (765)496-8234 | 501 Harrison Street<br>
FAX: (765)494-6620 | West Lafayette, IN 47907-2025<br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Jathan.<br>-<br>