command authorization / shell command authorization: ------------------------------------------- Follow the following steps over the NAS: ------------------------------------------- !--- is the desired username !--- is the desired password !--- we create a local username and password in case we are not able to get authenticated via our tacacs+ server. To provide a back door username password privilege 15 !--- To apply aaa model over the NAS aaa new-model !--- To get users authentication via ACS, when they try to log-in If our NAS is unable to contact to ACS, then we will use our local username & password that we created above. This prevents us from locking out. aaa authentication login deafult group tacacs+ local !--- To get access to privilege mode user must use the password associated with the user account on ACS. If somehow, NAS is not able to contact to ACS then we can use enable password configured over the NAS. aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ local aaa authorization config-commands aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local !--- Following commands are for accounting the user's activity, when user is logged into the device. aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ !--- Following command is to specify our ACS server location, where is the ip-address of the ACS server. And is the key that should be same over the ACS and the NAS. tacacs-server host key -------------------- Configuration on ACS -------------------- [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add' Provide any name to the set. Provide the sufficient description (if required) (a) For Full Access administrative set. In Unmatched Commands, select 'Permit' (b) For Limited Access set. In Unmatched commands, select 'Deny'. And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow. For example: If we want user to be only able to access the following commands: login logout exit enable disable show Then the configuration should be: ----------------------------------------------- ------------------------Permit unmatched Args-- ----------------------------------------------- login permit logout permit exit permit enable permit disable permit configure permit terminal interface permit ethernet permit 0 show permit running-config ------------------------------------------------ In above example, user will be allowed to run only above commands. If user tries to execute 'interface Ethernet 1', user will get 'Command authorization failed'. [2] Press 'Submit'. [3] Go to the group on which we want to apply these command authorization set. Select ‘Edit Settings'. [4] From 'Jump To' menu, select 'TACACS+'. [5] Mark a check over 'Shell(exec)' & 'Privilege level' with privilege level value equal to '15'. [6] In 'Shell Command Authorization Set', check 'Assign a Shell Command Authorization Set for any network device' and from drop down menu select the authorization set to be applied to the group. [7] Press 'Submit + Restart'. ############################### Adding the TACACS+ AAA Client : ############################### [Step 1] Select Network Configuration. Note: If you are using Network Device Groups (NDGs), you must also click the name of the NDG that you want to add the AAA client entry to. [Step 2] Under the AAA Clients table, select Add Entry. The Add AAA Client page appears. [Step 3] Configure the boxes, list, and check boxes on the Add AAA Client page as follows: •AAA Client Hostname —Type the hostname plus the AAA protocol, NAS01-tacacs. •AAA Client IP Address —The IP address of interface of the NAS from which Cisco Secure ACS will receive RADIUS requests. •Key —the same key specified on the NAS for the TACACS+ server. •Authenticate Using —Select TACACS+ (Cisco IOS). [Step 4] Select "Submit + Restart". Make sure that user defined is associated to above configured group.