topic ACS Read Only Device Access in Network Access Control

ACS Read Only Device Access

dtom — Mon, 11 Mar 2019 00:27:28 GMT

We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers. Here is what we did:

1) Created a user in ACS

2) Create Shell command Autorization Set - ReadOnly

Unmatched Commands - Deny

Commands Added

show

exit

* this should limit the user to the show and exit command only (correct)?

3) Created a group - HelpDesk with the following TACACS+ Settings

Shell (exec) is checked

Priviledge level is check with 15 as the assigned level

Assign a Shell Command Authorization Set for any network device - selected

ReadOnly - shell command autorization set seleted

When the user logs on to the router/switch it appears that he has full access. He can enter the enable command, config terminal command, etc. All we want him to be able to do is to issue the show command.

Any help would be appreciated.

Re: ACS Read Only Device Access

aneelaka — Fri, 01 Oct 2010 23:53:40 GMT

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

ACS Read Only Device Access

dtom — Fri, 26 Apr 2013 18:34:56 GMT

Is there any way to give priviledge level 15 and deny write access (write command)?

ACS Read Only Device Access

Jatin Katyal — Fri, 26 Apr 2013 19:32:15 GMT

Yes.

You can try this: Privilege for read-only access

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Jatin Katyal

- Do rate helpful posts -

ACS Read Only Device Access

dtom — Fri, 26 Apr 2013 20:39:17 GMT

I tried that and could not get it to work.

I tried the following:

- 1 -

Shell Command Authorization Set

Deny

Unmatched Commands - show

Permit Unmatched Args - checked

Enable Options

Max Privilege for any AAA client - 1

Tacacs+

Shell Command - checked

Privilege level - 1

With the above, the user did not have the ability to do sh run. The user could not turn on privilege commands (enable) - access denied

- 2 -

Shell Command Authorization Set

Deny

Unmatched Commands - show

Permit Unmatched Args - checked

Enable Options

Max Privilege for any AAA client - 15

Tacacs+

Shell Command - checked

Privilege level - 15

With the above, the user had full read/write rights

Any other thoughts?

ACS Read Only Device Access

Jagdeep Gambhir — Fri, 26 Apr 2013 21:30:40 GMT

Dtom,

You need to give privilege 15 to both type of users. Now giving priv 15 does not mean that read-only user will be able to get full access. Command authorization work above privilege level.

Set enable and shell priv to 15

Rest your setting is all ok.

Regards,

~JG

Do rate helpful posts

ACS Read Only Device Access

dtom — Mon, 29 Apr 2013 15:20:47 GMT

I don't know what I am missing here. When I give privilege 15 the user had full access. Here is what I did:

- 1 -

Create Shell Command Autorization Sets - Read_Access

Deny - checked

Unmatched Commands - show

Permit Unmatched Args - checked

- 2 - Create Group - HelpDesk

Enable Options - Max Privlege for any AAA Client 15

Shell (exec) - checked

Shell Command Authorization Set - Assign a Shell Command Set for any network device- Read_Access

- 3 - User Settings

Group to which user is assigned HelpDesk

TACACS+ Enable Control - Use Group Level Settings

Shell Comand Authorization Set - As Group

ACS Read Only Device Access

edwjames — Mon, 29 Apr 2013 15:29:08 GMT

Hi,

Are you sure you have this on the device (Switch/Router)?

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

If possible attach a screenshot of the configuration on ACS.

Rate if it helps

ACS Read Only Device Access

dtom — Mon, 29 Apr 2013 16:07:04 GMT

Here is my switch AAA config:

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

Here are screen shots for a user - robin.hood

ACS Read Only Device Access

edwjames — Mon, 29 Apr 2013 16:17:09 GMT

Hi,

As per your configuration:

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

All three lines have:

"defalt instead of default"

I am not sure if you just typed it wrong over here, if this is what you really have, then the IOS will consider this as the method list and will expect you to apply it on the vty or console lines (which is not mandatory, but it will not work until you apply it)

You have to use default, if you don't want method lists.

Rate if useful

ACS Read Only Device Access

dtom — Mon, 29 Apr 2013 18:24:28 GMT

What a dummy I am...typo. I changed the commands and I was able to login and run the show run command. However, I was not able to run exit and dir. What am I missing here? Here is a screen shot:

ACS Read Only Device Access

Jatin Katyal — Mon, 29 Apr 2013 18:29:58 GMT

you also need to add permit for exit and dir on the permit unmatched Args.

You may check permit unmatched Args this option for exit and dir

Jatin Katyal

- Do rate helpful posts -

ACS Read Only Device Access

dtom — Mon, 29 Apr 2013 20:21:11 GMT

That was it. Thanks.

So, what is the easiest way to restrict a user to access only a certain device or certain subnet only?

ACS Read Only Device Access

Jatin Katyal — Mon, 29 Apr 2013 20:29:04 GMT

Read this doc:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Jatin Katyal

- Do rate helpful posts -