topic Re: AAA Exclude specific command for Privileges 15 User in Network Access Control

AAA Exclude specific command for Privileges 15 User

karenmelkonyanstu — Wed, 19 Apr 2023 16:06:49 GMT

Hi Guys,

Let's say I want to create user with privileges 15 but I don't want him to be able to execute particular command "debut ip packet"
How can I do that without having TACACS Server?

Thanks in advance.

Re: AAA Exclude specific command for Privileges 15 User

Nancy Saini — Wed, 19 Apr 2023 16:52:08 GMT

Without TACACS server I don't think you can do command authorization locally.

Re: AAA Exclude specific command for Privileges 15 User

karenmelkonyanstu — Wed, 19 Apr 2023 16:56:27 GMT

OK If I had TACACS Server - should I configure it ONLY on TACACS Server?
Or is there anything else besides bellow command I would have to configure on the switch\router?
aaa group server tacacs+ TACACS-SERVER
server-private 10.84.45.37 key 7 XXXXXXXXXXXXXXX
server-private 10.84.45.18 key 7 XXXXXXXXXXXXXXX
ip tacacs source-interface Vlan177
!
aaa authentication login default group TACACS-SERVER local
aaa authentication enable default group TACACS-SERVER enable
aaa authorization exec default group TACACS-SERVER if-authenticated
aaa authorization commands 15 default group TACACS-SERVER if-authenticated
!
aaa session-id common

Re: AAA Exclude specific command for Privileges 15 User

Nancy Saini — Wed, 19 Apr 2023 17:08:47 GMT

First define the TACACS server and check reachability using command "test aaa group TACACS-SERVER <username> <password> new-code". Check if the request is reaching the TACACS server. Once confirmed then define remaining AAA commands.

The configuration looks fine but certain network devices may require some additional attributes to be pushed from TACACS server.

If this doesn't work, open a case with TAC for further troubleshooting.

Re: AAA Exclude specific command for Privileges 15 User

karenmelkonyanstu — Thu, 20 Apr 2023 09:24:25 GMT

1)Thanks for the response.
Just to confirm - when you say "define remaining AAA Commands" you mean to do it on the actual TACACS Server?
Or do you mean define some other AAA Commands on the router itself?
My main concern is HOW to prohibit one particular command for a particular user even if he has privilege 15.
So if I want for a TACACS User Bob to have prohibited "debug ip packet" command - I should do some configuration on the actual TACACS Server?

2"The configuration looks fine but certain network devices may require some additional attributes to be pushed from TACACS server."

What are those certain network devices ?

Re: AAA Exclude specific command for Privileges 15 User

MHM Cisco World — Thu, 20 Apr 2023 09:33:39 GMT

Configure ISE 2.0 TACACS+ Authentication Command Authorization - Cisco

in ISE TACACS you can deny/permit any command

Re: AAA Exclude specific command for Privileges 15 User

Nancy Saini — Thu, 20 Apr 2023 17:02:50 GMT

To permit or deny commands on ISE, as @MHM Cisco World mentioned you have to define under TACACS command set in Policy Elements.

"The configuration looks fine but certain network devices may require some additional attributes to be pushed from TACACS server." - here I was referring to NXOS platform. It needs certain additional attributes to be pushed in shell profile from ISE.

Re: AAA Exclude specific command for Privileges 15 User

Arne Bier — Fri, 21 Apr 2023 03:25:32 GMT

@karenmelkonyanstu - you asked how this could be done without TACACS+. There is a feature called Role Based CLI - it's a very old feature but I reckon it's still in IOS today. I have never used it myself. The idea is that you create "views" for a user after they have logged in - and you can be very granular about what that used can see and do.

Re: AAA Exclude specific command for Privileges 15 User

karenmelkonyanstu — Fri, 21 Apr 2023 10:46:21 GMT

Hi Arne,

Thanks - good to know.