topic How assign privelege enable in Network Access Control

How assign privelege enable

michaelreidman — Sun, 10 Mar 2019 23:54:02 GMT

Hello

I have configured privilege 15 on ACS 4.2 (Tacacs + ) but when user connect to network devise he always receives only < mode

What can be a problem ?

On switch configured "aaa authorization commands 15 default group users local

Re: How assign privelege enable

Jatin Katyal — Thu, 21 Jan 2010 17:41:56 GMT

Michael,

ACS settings is correct. You only need to replace the command authorization command with exec authorization on the switch..

aaa authorization exec default group tacacs local -------------------------(in case we have tacacs server)

aaa authorization exec default local --------------------------(if we have local user database)

HTH

Regards,

Jatin

Plz rate helpful posts-

Re: How assign privelege enable

michaelreidman — Mon, 25 Jan 2010 13:22:11 GMT

Hi Thanks a lot for your response.

I have added : following commands on network device and it solved problem

aaa authorization commands 15 default group users local

aaa authorization commands 0 default group users local

aaa authorization commands 1 default group users local

i use privilege 15.

On this privilege i permit specific show commands only.

The rest commands have to be denied

Unfortunately "write" command on same profile works from some reason

Re: How assign privelege enable

Ganesh Hariharan — Tue, 26 Jan 2010 07:41:03 GMT

Hi Thanks a lot for your response.
I have added : following commands on network device and it solved problem
                            aaa authorization commands 15 default group users local 
                            aaa authorization commands 0 default  group users local
                    aaa authorization commands 1 default  group users local
i use privilege  15.
On this privilege i permit specific show commands only.
The rest commands have to be denied
Unfortunately "write" command on same profile works from some reason

Hi Michael,

Few configuration needs to be done once user get authenticated via ACS 4.2 and need to have following access to commands only,check out the below link for configuration in ACS 4.2 with cisco router authorization.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html#wp676420

Hope to help !!

If helpful do rate the valauble post.

Ganesh.H

Re: How assign privelege enable

michaelreidman — Tue, 26 Jan 2010 09:52:41 GMT

Hello Ganesh,

Thanks a lot for your response

I have configured on ACS following :

1.Priv 15

2.On shell i have permitted only matched commands. (Show commands and variants of show commands)

Other (unmatched) commands should be blocked

From some reason i able perform "Write" command.

Other serious commands are blocked (debug, conf t ,reload etc)

What can be my problem ?

Best Regards

Re: How assign privelege enable

Jatin Katyal — Tue, 26 Jan 2010 10:54:43 GMT

Hi Michael.

Please provide me the screen shot of shell command authorization > command set.

If you only want to allow "Show" commands

This is what you should have on the ACS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

On the devices you should have below listed commands.

aaa new-model

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#rou

HTH

Regards,

Plz rate helpful posts-

Re: How assign privelege enable

michaelreidman — Tue, 26 Jan 2010 11:42:10 GMT

Hello JK,

Thanks for response again.

On shell i have following rubrics :

Unmatched commands : show

Deny

Permit unmatched Arys : V

Permit run

Permit Inter

Again problem is only with Write command.

Other dangerous commands blocked

Only show run and show int are works

Re: How assign privelege enable

darpotter — Thu, 28 Jan 2010 10:07:56 GMT

From your config I cant tell if you have unmatched commands permitted or denied. To start with have unmatched commands = deny. Any commands not explicitly permitted should then fail.

If you have unmatched commands or argument = deny, you then need to list those that are permitted, and vice versa. No point in setting unmatched = deny then listing some that are denied!

unmatched cmds = deny, unmatched args = permit

permit show

permit ping

Re: How assign privelege enable

michaelreidman — Thu, 28 Jan 2010 15:15:23 GMT

Hello

Thanks a lot for your response.

I have following :

show permit int

permit ver

write deny mem

deny .....

So other should be blocked (denied)

I have problem with Only "write" command

Other commands included (write memory and all other variants) are blocked successfully

Best Regards

Re: How assign privelege enable

darpotter — Fri, 29 Jan 2010 11:07:21 GMT

You've not mentioned what the umatched args setting is, but Im assuming this

unmatched cmds = deny

permit cmd "write" (unmatched args = permit)

deny arg "mem"

deny arg "another"

This would deny "write mem" and "write another" but nothing else. Now remember that the command authorisation is case sensitive and not wildcarded, so if you entered the command "write memory" in would get authorised, as would "write".

Looking back at your original post you said the problem was that the "write" command was being authorised when it shouldnt. In that case the authorisation should be this

unmatched cmd = deny

permit cmd "show" (unmatched args = deny)

permit arg "a"

permit arg "b"

This is the correct profile to allow "show a" and "show b" ONLY - no other cmds will authorise. If they do there must be something else going on outside of ACS I suspect.