topic Re: Tacacs Authorization on ACS in Network Access Control

Tacacs Authorization on ACS

SDWorx_2 — Sun, 10 Mar 2019 14:50:03 GMT

Hello,

I'm new to authorization on Cisco ACS server.

I'm wrestling a couple of days on getting the authorization working.

What I would like to archive is limit the commands executed on our Cisco material. I would like to have an "any" for us, and a limited command set for other users.

This is what I already configured:

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated (any explanation on this? )

tacacs-server host x.x.x.x

tacacs-server key "hidden"

line vty 0 4

password "hidden"

line vty 5 15

password "hidden"

On the ACS server.

PPP and Shell (exec) checked.

many Thanks

Koen

Re: Tacacs Authorization on ACS

ecaballero — Wed, 26 May 2004 15:51:00 GMT

Here is a configuration that works quite well. It will use TACACS for authentication and authorization. It is a good idea to have a backup authentication and authorization scheme such as Line or None, in case your Tacacs server goes down or is misconfigured. That way you can still get into your router in an emergency.

aaa new-model

aaa authentication login vtymethod group tacacs+ line

aaa authorization exec vtymethod group tacacs+ none

aaa authorization commands 1 vtymethod group tacacs+ none

aaa authorization commands 15 vtymethod group tacacs+ none

line vty 0 4

password 7 *omitted*

authorization commands 15 vtymethod

authorization exec vtymethod

I am using Cisco Secure ACS 3.2 for Windows.

On the ACS you must have shell exec checked, and also privilege level selected with the level set to 15.

Then you need to create a IOS command set to either permit or deny certain commands.

Then you can run debug aaa authorization on your router to troubleshoot.

Give that a try and see how it goes.

Re: Tacacs Authorization on ACS

SDWorx_2 — Thu, 27 May 2004 15:12:01 GMT

Hi,

Many thanks for your respons!!!

I haven't been able to test this configuration since it has been a very busy day today.

Hope I can test it tomorrow.

Thanks for your help, and I keep you informed about the results.

Koen

Re: Tacacs Authorization on ACS

SDWorx_2 — Fri, 28 May 2004 10:22:06 GMT

Hello,

Many thanks for you help!! This configuration works very well as you already mentioned!!!

This only thing I'm not really happy with is the fact that when I logon I'm immediate in enable mode. This is very handy, but not really secure. I'll look around for disabling this.

An other (maybe stupid) question is why you have to configure the 2 different levels on the switch. This is not really clear to me.

many thanks for your help and have a very nice weekend.

Regards

Koen