topic Re: Filtering Priv 15 commands ! in Network Access Control

Filtering Priv 15 commands !

illusion_rox — Sun, 10 Mar 2019 23:30:52 GMT

hi all, can i filter priv 15 configuration commands using ACS 3.3 ?. Suppose i want

"interface tunnel" command to be filtered so that any of my user in priv 15 is not able to use this command !!

is this possible using acs 3.3 ?

Re: Filtering Priv 15 commands !

Jagdeep Gambhir — Fri, 29 May 2009 19:33:59 GMT

Trick here is to give all user a priv 15 and then define command authorization set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

This is what you need on IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

Re: Filtering Priv 15 commands !

illusion_rox — Mon, 01 Jun 2009 07:29:46 GMT

Dear Sir, can you tell me how to perform local authorization ? if i dont have an external server then how can use local authorization to restrict the usage of commands on per user basis ?

Kindly guide me in this

Re: Filtering Priv 15 commands !

Jagdeep Gambhir — Tue, 02 Jun 2009 13:28:57 GMT

Hi ,

Please see this link, you can change the privilege of any command.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards,

~JG

Do rate helpful posts

Re: Filtering Priv 15 commands !

illusion_rox — Wed, 03 Jun 2009 03:08:48 GMT

Dear JG, its so good to see you. thanks a lot for looking into this. Sir i know how to change the priv of any command. kindly look into my task pls

I want to assign a user priv 4.

I want him to run ONLY AND ONLY "show interfaces", restricting ALL OTHER COMMANDs, EACH AND EVERY COMMAND should be restricted. User in priv 4 should run only "show interfaces" and for exiting "exit" command. Thats it, no other commands should be available to him.

Sir kindly tell me is this possible ? can you provide me some sample configuration to achieve this task ?

NOte: i dont want to use any external server for this task. Just local authorization.

Re: Filtering Priv 15 commands !

Jagdeep Gambhir — Wed, 03 Jun 2009 14:05:47 GMT

You need this command

privilege exec level 4 show interfaces

Then increase a priv lvl of rest of the commands with priv lvl 0 and 1

privilege level 0 - Includes the disable, enable, exit, help, and logout commands.

privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.

Regards,

~JG

Do rate helpful posts