topic Re: aaa authorization config in Network Access Control

aaa authorization config

ZogoHUN01 — Wed, 27 Mar 2019 09:12:07 GMT

Dear Friends,

Can somebody explain me clearly what will make this config?

aaa new-model
 aaa authorization command 15 group tacacs+ none
 no aaa authorization config-commands

What will be the result when a user step into this device?

Re: aaa authorization config

balaji.bandi — Wed, 27 Mar 2019 13:49:29 GMT

here is some example behaviours :

http://www.dslreports.com/faq/9815

Re: aaa authorization config

Josiane de Barros Silva — Tue, 02 Apr 2019 01:20:10 GMT

ZogoHUN01

command to create a new TACACS authentication template.
Authorization has been defined with level 15 and the group tacacs this as (none) is not being assigned to any group.
EXAMPLE:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs + local
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
tacacs-server host 10.1.1.1
tacacs-server key cisco123

Best Regards,

Josiane

Twitter:@securegirlninja

Re: aaa authorization config

Mike.Cifelli — Tue, 02 Apr 2019 15:15:26 GMT

Are you using ISE? If you are you can configure shell profiles to push priv authorization to end users. If not, here are two examples of aaa authorization commands that will yield different priv results:

aaa authorization commands 1 group tacacs+ local (priv 1)
aaa authorization commands 15 group tacacs+ local (priv 15)

Using ISE to push shell profile aaa config example:

aaa authorization network group tacacs+ local
aaa authorization configuration group tacacs+ local

Note that the aaa statements are subject to change based on if you use named groups, etc. HTH!

Re: aaa authorization config

ZogoHUN01 — Tue, 02 Apr 2019 19:30:40 GMT

Please read my answer which I wrote to Mike

Re: aaa authorization config

ZogoHUN01 — Tue, 02 Apr 2019 19:29:45 GMT

Thanks for your responses!

Isn't there a contradiction between the two authorization commands?

The first row gives full warrant while the second row only permits config commands?

I think the order of these commands important!
So, as a result, we have only permit for config commands at the end.

Am I right?

Re: aaa authorization config

Josiane de Barros Silva — Tue, 02 Apr 2019 21:02:02 GMT

Hi @ZogoHUN01

Other Example:

1- Create a local user with full privilege for fallback with the username command as shown here.

username cisco privilege 15 password cisco

2. Enable aaa new-model. Define TACACS server ISE, and place it in the group ISE_GROUP.
aaa new-model
tacacs server ISE
address ipv4 10.48.17.88
key cisco
aaa group server tacacs+ ISE_GROUP
server name ISE

3-Test the TACACS server reachability with the test aaa command as shown.

Router#test aaa group tacacs+ admin Krakow123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

4. Configure login and enable authentications and then use the exec and command authorizations as shown.

aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands

Rule applied to a vty
4. Configure login and enable authentications and then use the exec and command authorizations as shown.
line vty 0 4
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA

Re: aaa authorization config

Josiane de Barros Silva — Thu, 04 Apr 2019 12:57:41 GMT

Hi @ZogoHUN01 
Did I get to answer your question?