topic Re: ACS 4.2 Shell Command Authorization Set permissions in Network Access Control

ACS 4.2 Shell Command Authorization Set permissions

nathan demers — Mon, 11 Mar 2019 03:58:20 GMT

I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE. I dont know.

Topic: Implementing (permitting) subcommands under an Authorization Set.

This was somehwat difficult for me to get working for the final step that I wanted. That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet. Reasoning being is all Gigabit ports are reserved for trunking.

How I was able to solve this issue.

SWITCH

Previous AAA settings on 3750 switch

aaa new-model

aaa group server tacacs+ CSACS

aaa authentication login default group CSACS local

aaa authentication enable default group CSACS enable

aaa authorization exec default group CSACS local

aaa authorization commands 15 default group CSACS local

aaa accounting commands 15 default start-stop group CSACS

aaa session-id common

Added command on switch

aaa authorization config-commands

This allows you to specify individual commands (to my understanding).

ACS

Shell Command Authorization Set

If you want to allow fastethernet and deny gigabitethernet then do the following

COMMAND

interface

ARGUMENT

permit FasEthernet (case-sensitive!!!!!!)

To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk.

COMMAND

switchport

ARGUMENT

deny mode trunk

permit mode access

permit access vlan

Items to consider:

1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.)

2. shell exec needs to be turned on for user and group

3. The five ITEMS in 4.2 that you need to look at.

User Setup

Advanced TACACS+ Settings

TACACS+ Enable Password

Shell (exec) (RIGHT ABOVE ----> Shell Command Authorization Set)

Shell Command Authorization Set

Good luck.

ACS 4.2 Shell Command Authorization Set permissions

Jatin Katyal — Tue, 08 Oct 2013 08:12:46 GMT

Thanks for sharing your findings. It would be great if you can add a screen shot of the shared profile component > command authorization set. It would surely help community users to understand it better.

~BR
Jatin Katyal

**Do rate helpful posts**

Re: ACS 4.2 Shell Command Authorization Set permissions

johnnylingo — Fri, 08 Nov 2013 19:52:45 GMT

Thanks for the post. I'm have a similar requirement using Secure ACS 5.4. Configuration on the switch:

aaa group server tacacs+ CISCOACS

server 1.2.3.4

server 5.6.7.8

aaa authentication login default group CISCOACS local

aaa authentication enable default group CISCOACS none

aaa authorization config-commands

aaa authorization exec default group CISCOACS local

aaa authorization commands 15 default group CISCOACS local

aaa accounting exec default start-stop group CISCOACS

aaa accounting commands 15 default start-stop group CISCOACS

In ACS, I want to let a certain class of users change the vlan for Gigabit ports, but not 10GB. I first create this command set:

Then I add a line to the Device Admin authorization policy: