topic Re: User privilege when tacacs login in Network Access Control

User privilege when tacacs login

lekkwi — Fri, 25 Feb 2022 09:47:20 GMT

Hello,

An ASR 1002-X with IOS 17.03.03 was acquired.

There are few C9300 on the same site with the same IOS version.

There are some accounts set in tacacs server with privilege 7 (let say "priv7").

When I used "priv7" and login C9300 by ssh, the privilege level is 7.

Switch# show privilege

Current privilege level is 7

But when I login ASR using the same account, the privilege is 1.

ASR>show privilege
Current privilege level is 1

I believe ASR is good to connect to tacacs+, otherwise "priv7" can't login.

Please see below related configurations in ASR 1002-X:

aaa group server tacacs+ TAC
server-private 10.153.221.101 key 7 xxxxx
server-private 10.153.221.102 key 7 xxxxx
server-private 10.153.231.120 key 7 xxxxx
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login default group TAC local
aaa authentication login local_auth local
aaa authentication enable default enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 8 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

!
line con 0
exec-timeout 30 0
login authentication local_auth
stopbits 1
!

line vty 0 4
exec-timeout 30 0
transport input ssh
line vty 5 15
exec-timeout 30 0
transport input ssh
!

Have I missed something in the related configurations? Or anything that I need to work on this too?

Thank you very much!

Re: User privilege when tacacs login

balaji.bandi — Fri, 25 Feb 2022 10:01:19 GMT

what is the outcome if you try same command : enable mode # what is the outcome ?

ASR>show privilege
Current privilege level is 1

Re: User privilege when tacacs login

lekkwi — Fri, 25 Feb 2022 13:32:54 GMT

Thanks for your reply.

If I typed "enable", then a password will be needed and if the password is correct, then it enters as privilege 15.

Re: User privilege when tacacs login

Marcus Hunold — Fri, 25 Feb 2022 15:25:16 GMT

Where do you manage your command set?

is that maybe the problem:

aaa authorization commands 8 default group tacacs+ if-authenticated

should be:

aaa authorization commands 7 default group tacacs+ if-authenticated

Re: User privilege when tacacs login

lekkwi — Fri, 25 Feb 2022 16:38:13 GMT

Thanks for your reply.

I removed the if-authenticated, not good.

I removed the command "aaa authorization commands 8 default group tacacs+ if-authenticated" and add "aaa authorization commands 7 default group tacacs+ if-authenticated". But the result is not good.

Other C9300 switches have the commands like that too.

Re: User privilege when tacacs login

Marcus Hunold — Fri, 25 Feb 2022 19:14:02 GMT

don't really understand the configuration if you follow the privileged levels 1,7,15

I would then assume 1,7,15 in the configuration...

Are you sure you send 7 in the ISE shell profile and not 8...?

Concerning your initial question...

Could it be that the follwing configuration is missing?

This:

line vty 0 4

authorization exec VTY

Or this:

line vty 0 4

authorization commands 1 VTY

authorization commands 7 VTY

authorization commands 15 VTY

Re: User privilege when tacacs login

lekkwi — Tue, 01 Mar 2022 09:01:29 GMT

Thanks for your reply.

May I know what's the meaning of VTY in "authorization exec VTY"?

Or shall I delete the following commands to make clear?

aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 8 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

Thank you!

Re: User privilege when tacacs login

Marcus Hunold — Thu, 03 Mar 2022 13:09:28 GMT

Think your topic is discussed here already:

Setting privilege level on vty lines - Cisco Community