topic Tacacs + AAA in Network Access Control https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386365#M433337 <P>Hi.. My name is Fabio, I work on brazil like network manager. I placed Tac_plus to work on Linux, because it is needed to restrict some users accesses to routers. In the first case where users are able to give show and config commands referring "RTR" that works well for show commands but not when user this inside config mode.</P><P></P><P> See log below. </P><P></P><P>Wed Oct 13 22:43:38 2004 10.121.9.66 test tty2 192.168.32.8 stop task_id=210 timezone=GMT-3 service=shell start_time=1097729277 priv-lvl=15 cmd=configure terminal </P><P>Wed Oct 13 22:43:48 2004 10.121.9.66 test tty2 192.168.32.8 stop task_id=211 timezone=GMT-3 service=shell start_time=1097729287 priv-lvl=15 cmd=line console 0 </P><P></P><P>see the cofig </P><P></P><P>group = users { </P><P>default service = deny </P><P>service = exec { </P><P>priv-lvl = 15 </P><P>} </P><P>} </P><P>############################## </P><P></P><P>#All services are alowed.. </P><P></P><P>user = DEFAULT { </P><P>service = ppp protocol = ip {} </P><P>} </P><P>user = test { </P><P>login = cleartext xxxx </P><P>member = users </P><P>service = exec { </P><P>priv-lvl= 15 } </P><P>cmd = enable { </P><P>permit .* } </P><P>cmd = configure { </P><P>permit "terminal" } </P><P>cmd = rtr { </P><P>permit .* } </P><P>cmd = show { </P><P>permit "rtr" </P><P>deny .* } </P><P>cmd = exit { </P><P>permit .* } </P><P>} </P><P></P><P>My problem is, in config mode the user test have a full authorization command.</P><P>Thanks...</P><P>Fábio</P><P></P> Sun, 10 Mar 2019 20:51:51 GMT fabioosantos 2019-03-10T20:51:51Z Tacacs + AAA https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386365#M433337 <P>Hi.. My name is Fabio, I work on brazil like network manager. I placed Tac_plus to work on Linux, because it is needed to restrict some users accesses to routers. In the first case where users are able to give show and config commands referring "RTR" that works well for show commands but not when user this inside config mode.</P><P></P><P> See log below. </P><P></P><P>Wed Oct 13 22:43:38 2004 10.121.9.66 test tty2 192.168.32.8 stop task_id=210 timezone=GMT-3 service=shell start_time=1097729277 priv-lvl=15 cmd=configure terminal </P><P>Wed Oct 13 22:43:48 2004 10.121.9.66 test tty2 192.168.32.8 stop task_id=211 timezone=GMT-3 service=shell start_time=1097729287 priv-lvl=15 cmd=line console 0 </P><P></P><P>see the cofig </P><P></P><P>group = users { </P><P>default service = deny </P><P>service = exec { </P><P>priv-lvl = 15 </P><P>} </P><P>} </P><P>############################## </P><P></P><P>#All services are alowed.. </P><P></P><P>user = DEFAULT { </P><P>service = ppp protocol = ip {} </P><P>} </P><P>user = test { </P><P>login = cleartext xxxx </P><P>member = users </P><P>service = exec { </P><P>priv-lvl= 15 } </P><P>cmd = enable { </P><P>permit .* } </P><P>cmd = configure { </P><P>permit "terminal" } </P><P>cmd = rtr { </P><P>permit .* } </P><P>cmd = show { </P><P>permit "rtr" </P><P>deny .* } </P><P>cmd = exit { </P><P>permit .* } </P><P>} </P><P></P><P>My problem is, in config mode the user test have a full authorization command.</P><P>Thanks...</P><P>Fábio</P><P></P> Sun, 10 Mar 2019 20:51:51 GMT https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386365#M433337 fabioosantos 2019-03-10T20:51:51Z Re: Tacacs + AAA https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386366#M433338 <HTML><HEAD></HEAD><BODY><P>How did you configure the routers? The config should look something along the lines of this with some room for variation:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ line</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P>aaa authorization commands 0 default group tacacs+ if-authenticated </P><P>aaa authorization commands 1 default group tacacs+ if-authenticated </P><P>aaa authorization commands 15 default group tacacs+ if-authenticated </P><P>aaa authorization config-commands</P></BODY></HTML> Thu, 21 Oct 2004 15:00:54 GMT https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386366#M433338 scottosan 2004-10-21T15:00:54Z Re: Tacacs + AAA https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386367#M433339 <HTML><HEAD></HEAD><BODY><P>I didn't place the command "aaa authorization config-commands" in my configuration. I am going to place and to verify the result.</P><P>Thank´s</P><P>Fábio </P></BODY></HTML> Thu, 21 Oct 2004 15:59:58 GMT https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386367#M433339 fabioosantos 2004-10-21T15:59:58Z Re: Tacacs + AAA https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386368#M433340 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Scottosan,</P><P></P><P>The command aaa authorization config-commands fixed my problem. Thank´s you very much.</P><P>Regards,</P><P>Fábio</P></BODY></HTML> Thu, 21 Oct 2004 17:11:30 GMT https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386368#M433340 fabioosantos 2004-10-21T17:11:30Z Re: Tacacs + AAA https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386369#M433341 <HTML><HEAD></HEAD><BODY><P>your welcome</P></BODY></HTML> Thu, 21 Oct 2004 17:28:35 GMT https://community.cisco.com/t5/network-access-control/tacacs-aaa/m-p/386369#M433341 scottosan 2004-10-21T17:28:35Z