topic Re: AAA Authorization in Network Access Control

AAA Authorization

thomasandy32 — Mon, 11 Mar 2019 00:38:35 GMT

Hello

If i want to allow certain commands for a user on switch with privilege level 2,,Do i have to create the user in local database on switch as well as in ACS ?????? I dont think so , Correct me if i m wrong???
If i have specified privilege level 2 command in switch i dont need to specify in shell command set????? correct me if i m wrong??
If i have specify in shell command set then i dont need to specify in switch ???? correct me if i m wrong?

Please answer above 3 queries.

I facing issues in authorization,This is the below what i have done.

i have created a local user in ACS 5.0 and
i have assigned hin to identity groups of admin,
i have assigned him to all Access switches Device type
Access Policies>default Device admin>authorization i created a privilege level of 15 and assigned to it.
I m facing issues with admin privilege i have given a privilege 15 in authorization profile but still a user created with the following command username XXX privilege 15 password cisco is been prompt for enable secret password

Re: AAA Authorization

Panos Kampanakis — Thu, 09 Dec 2010 21:48:14 GMT

To try to answer your questions

If i want to allow certain commands for a user on switch with privilege level 2,,Do i have to create the  user in local database on switch as well as in ACS ?????? I dont think so ,   Correct me if i m wrong???

Correct, you don't need to

    2 If i  have  specified privilege level 2  command in switch i dont need to specify in shell command set????? correct me if i m wrong??

If you have move a command under priv 2 and a user is priv 2 he will be able to use it. You need to have command authorization enabled of course.

    3 If i have specify in shell command set then i dont need to specify in switch ???? correct me if i m wrong?

I am not sure what you mean.

I hope it helps a little.

Re: AAA Authorization

thomasandy32 — Thu, 09 Dec 2010 22:07:43 GMT

Hello,

I want to all the below commands

privilege exec level 2 undebug all
privilege exec all level 2 debug

i want to configure in ACS,I have routed to Policy elements>Device Administration>Command Set and i have created it and i have assigned a command set to identity group but the users are not able to execute these commands????? Please have a look in the attached.

2) I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they are prompted again for enable secret????

Thanks

Re: AAA Authorization

cadet alain — Fri, 10 Dec 2010 10:10:12 GMT

Hi,

2) I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they are prompted again for enable secret????

I found the answer for this question here on this forum: https://supportforums.cisco.com/message/621198

Regards.

Re: AAA Authorization

thomasandy32 — Fri, 10 Dec 2010 20:02:23 GMT

Hello cadetalain

Thanks for effort for providing me the link, but unfortunately the solution doen't work for me,Strange the user with privilege 2 is placed in privilege exec level 2 (Switch#) mode but user who try to login by privilege 15 they are place in user exec mode.

Also the command authorization is not working for privilege level 2 users???

Waiting for answers Experts

Re: AAA Authorization

thomasandy32 — Wed, 15 Dec 2010 19:40:22 GMT

Hello Dears,

Can anybody help me for user privileges atleast. I have stuck in this problem from very long time. please have a look on the attached in above mail's

Thanks.

Re: AAA Authorization

cadet alain — Wed, 15 Dec 2010 19:43:03 GMT

Hi,

Maybe you can post debug aaa authorization and debug aaa authentication.

Did you try with local database only? If so did you get same result?

Regards.

Alain.

Re: AAA Authorization

thomasandy32 — Wed, 15 Dec 2010 20:22:46 GMT

Hello,

With local authentication and authorization it is very fine, but when i remove command from switch to do authentication and authorization it does'nt.work with ACS server.

Thanks

Re: AAA Authorization

cadet alain — Thu, 16 Dec 2010 10:44:02 GMT

Hi,

Maybe it's a stupid question but as I said before I never used ACS appliance but only 4.x on 2k3, didn't you forget to tick checkbox in your last bmp included in your rar file? because I read below that default is enabled if no match.

But I think debug authentication and authorization could be useful.

Regards.

Alain.

Re: AAA Authorization

thomasandy32 — Fri, 17 Dec 2010 20:33:05 GMT

Hello,

I m trying to login by user cisco with privilege 2 on ACS, privilege level 2 is accepted but not the commands that i have allowed for privilege level 2 in ACS??????

Please help. Below is the output for debug aaa authentication and debug aaa authorization.

Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): port='tty2' list='XXX' action=LOGIN service=LOGIN
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): found list XXX
Dec 18 00:22:42.779: AAA/AUTHEN/START (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:42.782: TAC+: send AUTHEN/START packet ver=192 id=689535616
Dec 18 00:22:42.999: TAC+: ver=192 id=689535616 received AUTHEN status = GETUSER
Dec 18 00:22:42.999: AAA/AUTHEN (689535616): status = GETUSER
Dec 18 00:22:47.117: AAA/AUTHEN/CONT (689535616): continue_login (user='(undef)')
Dec 18 00:22:47.117: AAA/AUTHEN (689535616): status = GETUSER
Dec 18 00:22:47.117: AAA/AUTHEN (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:47.117: TAC+: send AUTHEN/CONT packet id=689535616
Dec 18 00:22:47.319: TAC+: ver=192 id=689535616 received AUTHEN status = GETPASS
Dec 18 00:22:47.319: AAA/AUTHEN (689535616): status = GETPASS
Dec 18 00:22:55.220: AAA/AUTHEN/CONT (689535616): continue_login (user='cisco')
Dec 18 00:22:55.220: AAA/AUTHEN (689535616): status = GETPASS
Dec 18 00:22:55.220: AAA/AUTHEN (689535616): Method=tacacs+ (tacacs+)
Dec 18 00:22:55.220: TAC+: send AUTHEN/CONT packet id=689535616
Dec 18 00:22:55.425: TAC+: ver=192 id=689535616 received AUTHEN status = PASS
Dec 18 00:22:55.425: AAA/AUTHEN (689535616): status = PASS
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): Port='tty2' list='' service=EXEC
Dec 18 00:22:55.427: AAA/AUTHOR/EXEC: tty2 (2575095510) user='cisco'
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): send AV service=shell
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): send AV cmd*
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): found list "default"
Dec 18 00:22:55.427: tty2 AAA/AUTHOR/EXEC (2575095510): Method=tacacs+ (tacacs+)
Dec 18 00:22:55.427: AAA/AUTHOR/TAC+: (2575095510): user=cisco
Dec 18 00:22:55.427: AAA/AUTHOR/TAC+: (2575095510): send AV service=shell
Dec 18 00:22:55.430: AAA/AUTHOR/TAC+: (2575095510): send AV cmd*
Dec 18 00:22:55.655: TAC+: (2575095510): received author response status = PASS_ADD
Dec 18 00:22:55.655: AAA/AUTHOR (2575095510): Post authorization status = PASS_ADD
Dec 18 00:22:55.655: AAA/AUTHOR/EXEC: Processing AV service=shell
Dec 18 00:22:55.655: AAA/AUTHOR/EXEC: Processing AV cmd*
Dec 18 00:22:55.658: AAA/AUTHOR/EXEC: Processing AV priv-lvl=2
Dec 18 00:22:55.658: AAA/AUTHOR/EXEC: Authorization successful

Re: AAA Authorization

cadet alain — Fri, 17 Dec 2010 23:17:46 GMT

Hi,

When this happens you have disabled privilege level 15 on line?

Have you put aaa authorization method on line?

Sorry but I don't know if you have changed things since first day.

Regards.

Alain.

Re: AAA Authorization

estelamathew — Sat, 18 Dec 2010 18:28:11 GMT

Hello Alain,

Me too facing the same problem, We need somebody who has played on ACS 5.0 like a game

I have not enabled aaa authorization on line, it is enabled globally on switch with command aaa authorization exec default group tacacs+, When a specific user with privilege level 2 login he is directly placed in Privilege mode of level 2 BUT he is not able to do authorization of the commands what i have enabled for level 2.

Thanks.

Re: AAA Authorization

thomasandy32 — Sun, 26 Dec 2010 19:25:49 GMT

hello Experts,

Is there nobody who can solve my authorization problem????? pls pls sugggest where i m doing wrong.

Thanks.

Re: AAA Authorization

Eduardo Aliaga — Tue, 28 Dec 2010 00:12:25 GMT

If you have ACS then It's not recommended to use router local user database. The same way, if you're using "Command Sets" then you shouldn't use "IOS privileges" at all. "IOS privileges" was never a good tool to do authorization, and it's an ancient tool now.

So my recommendation is to delete "privilege" commands from your switch and to leave your "Shell profile" to the defaults. Only use "command sets".

I only use "shell profiles " when using Cisco ACE modules, Cisco Nexus, Cisco CRS or Juniper routers, because they have a different TACACS+ approach than traditional Cisco routers and switches.

Also please upgrade to ACS 5.1 or ACS 5.2, they're far more mature product than ACS 5.0.

By the way, you also mentioned the following

#################

2) I have created a shell profile with privi level 15 but user are prompt to type enable secret password, when they are in privi level 15 then why they are prompted again for enable secret????

#################

I just did a test using ACS 5.1 and Catalyst 6500 and shell profiles with privilege level 15 worked OK without being prompted for enable secret.

Re: AAA Authorization

thomasandy32 — Thu, 06 Jan 2011 23:06:57 GMT

Hello,

So my recommendation is to delete "privilege" commands from your switch and to leave your "Shell profile" to the defaults. Only use "command sets".

There are no privilege commands on switch only on ACS Once i remove the privilege level the user is not able to move in privilege mode (#) he is exec mode (>)

Also please upgrade to ACS 5.1 or ACS 5.2, they're far more mature product than ACS 5.0

As i have been to install and upgrade guide,it says in Step No 2: Install ACS 5.1 using the recovery DVD. where i will find this recovery DVD.??????

I just did a test using ACS 5.1 and Catalyst 6500 and shell profiles with privilege level 15 worked OK without being prompted for enable secret

Can u send me the steps,what u did,May i m missing something