topic Re: AAA command authorization in Network Access Control

AAA command authorization

costin.vilcu — Sun, 10 Mar 2019 22:00:37 GMT

Hi everyone,

can someone tell me how to i configure a router() and the ACS 4.1 to only permit some commnads for some users. To be more specific i want to know how will i configure it to let some users issue just the "shutdown" and "no shutdown" commands on interfaces?

I already configured the ACS and the router not to allow some users issue the "configure" commnand and it works, but this "shut, no shut" thing is more tricky...

thanks in advance

Re: AAA command authorization

daviddtran — Mon, 26 Feb 2007 16:41:23 GMT

I am not an expert with Cisco ACS 4.1 (even

though I have one running the production

environment). I have love-hate relationship

with windows so I am afraid to use it for

my production environment. I am much more

familiar with Cisco Freeware TACACS+.

This is what I have in my TACACS+ config:

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = interface { permit .* }

}

user = adv {

member = advanced

name = "Advanced User"

# login = des DJVS9kfrcLbus

}

user = $adv$ {

member = advanced

name = "Advanced User"

# login = des W/3UA7J1cz3sQ

}

Check this out when I log into the router:

Juniper>en

Password:

Juniper#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Juniper(config)#int lo0

Juniper(config-if)#shut

Command authorization failed.

% Incomplete command.

Juniper(config-if)#no shut

Command authorization failed.

% Incomplete command.

Juniper(config-if)#exit

Juniper(config)#exit

Juniper#

David

Re: AAA command authorization

costin.vilcu — Mon, 26 Feb 2007 17:05:12 GMT

Thank you David,

it works indeed, but id doesn't solve my issue;

you didn't tell me neither how to do the aaa authorization on routers for this case neither how to configure the ACS and i don't know how to match the Freeware Tacacs commands in ACS.

But thank you again

Re: AAA command authorization

daviddtran — Mon, 26 Feb 2007 18:15:50 GMT

hi,

On the Cisc0 router, the configuration is

quite simple. I will look into ACS and find

out how to do this. I guess I have to learn

how to use ACS eventually.

Below is the configuration on the router:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

tacacs-server host 192.168.15.10 key 7 1446405858517C

tacacs-server directed-request

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

Re: AAA command authorization

costin.vilcu — Mon, 26 Feb 2007 21:37:00 GMT

Thank you, David. So that is the router part, i did it almost like you, but i didn't know that i should put all 0,1 and 15 level authorization comands, i only put "aaa authorization commands 15 default group tacacs+ if-authenticated none".

And another question if you don't mind, what is the use of the "aaa authorization config-commands" command?

thanks

Re: AAA command authorization

daviddtran — Mon, 26 Feb 2007 22:14:54 GMT

aaa authorization config-commands

This command allows you to give users comand

inside the config mode but not allowing them

from doing specific things such as "int lo0, no shut".

David