A customer has a router dedicated to a site-to-site IPSec VPN , the users of that VPN are a small group that are not directly responsible for the router. They want a way to check the status of the WAN connection, the IPSec tunnel and also to force a clear crypto sa.
This could be solved with a looking glass but that would require a web server. An alternative solution could be a special user with a menu auto command:
My environment uses AAA with a Cisco ACS, so the special user has to be created in the Internal ACS database, restricted to only that router (Per User Defined Network Access Restrictions), allowing shell (exec) access and the auto command menu VPN (TACACS+ Settings)
The router has to refer to the authorization for exec to the ACS:
Of course, if you don’t use ACS and only use AAA with the local database, Ivan @ Cisco IOS Hints has a great example.