topic Re: AAA command authorization on Priv 7 in Network Access Control

AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 16:56:02 GMT

Hi,

I've setup clearpass as AAA with our cisco devices. I have a group of users that authenticate with priv level 7. I need to add a privlege level 15 command to these users (reload and clear ip *) , how do I accomplish this?

Thank you

Re: AAA command authorization on Priv 7

MHM Cisco World — Wed, 15 Jan 2025 17:54:31 GMT

https://notes.networklessons.com/security-privilege-levels-and-command-output

check this, you need to move command from level 15 to level 7

MHM

Re: AAA command authorization on Priv 7

Flavio Miranda — Wed, 15 Jan 2025 17:03:43 GMT

@josephbdelossantos

Just use the command

username "user" privilege 15 password "password"

Re: AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 17:43:09 GMT

Sorry I wasn't clear. I have a tacacs server that authenticates users and puts them on the correct privilege level. I just need to allow certain higher privilege commands to be run by these users aside from the usual priv 7 commands that are available. basically, allowing them all commands on priv 7 + reload and clear ip (but not show run, show start or config mode)

Re: AAA command authorization on Priv 7

Flavio Miranda — Wed, 15 Jan 2025 17:55:50 GMT

@josephbdelossantos

This configuration is done on the TACACS side. In ISE for example, you can do something like "Work Centers > Device Administration > Policy Results > TACACS Command Sets"

You need to find how to do this in clearpass.

Re: AAA command authorization on Priv 7

Rob Ingram — Wed, 15 Jan 2025 18:03:35 GMT

@josephbdelossantos on ClearPass create a TACACS Enforcement Profile, allowing the commands you want those users to run. In the "Service" match against an AD group those specific users are a member of and apply the previously created Enforcement Profile.

Re: AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 19:23:55 GMT

I already have them configured in the tacacs side, I just want to know if I need some AAA command authorization to be configured in the switches.

Re: AAA command authorization on Priv 7

MHM Cisco World — Wed, 15 Jan 2025 19:28:42 GMT

did you check link I share?

R1(config)#privilege exec level 7 XXXXXXXXXXXXX

MHM

Re: AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 19:45:12 GMT

That works but that doesnt accept any arguments, "reload in X" , clear ip BGP *, etc

Re: AAA command authorization on Priv 7

MHM Cisco World — Wed, 15 Jan 2025 19:55:06 GMT

move command reload and clear
then make clearpass permit only clear ip bgp and reload in X

MHM

Re: AAA command authorization on Priv 7

Rob Ingram — Wed, 15 Jan 2025 21:15:07 GMT

@josephbdelossantos configure aaa authorization on the switch, this instructs the switch to send a request to the TACACS+ server when a command is executed, and permit/deny as per your configuration.

Refer to the relevant section for the IOS-XE switch configuration in the guide below https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Obviously ignore the ISE information, but the switch commands will be the same when using ClearPass as the TACACS server.

Re: AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 21:29:16 GMT

thats the problem, moving reload doesnt allow you to specify any arguments in the switch even with permitting said arguments in clearpass...

Re: AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 23:46:27 GMT

Rob, do I still need to list down all the priv 15 commands I want priv 7 users to be able to execute regardless of what I permit in clearpass? I think clearpass only checks commands to allow to execute but the actual command still need to be executable at that priv level, meaning I still need to configure privilege exec level 7 reload , priv exec level 7 show run, etc on the switches..

Re: AAA command authorization on Priv 7

josephbdelossantos — Wed, 15 Jan 2025 23:53:01 GMT

hey MHM, I also tried adding the show running-config, the link does say that it executes perfectly but it wont show it because of the current priv level security, is there a way to get around that? Thanks

Re: AAA command authorization on Priv 7

MHM Cisco World — Thu, 16 Jan 2025 09:35:45 GMT

Solution need clearpass and sw

1-Sw will move only ""reload"" and ""clear""

2-Sw config for command authz via clearpass

3-Clearpasd authz only part of clear' like clear ip bgp*

You do step3 and missing do step1 and 2

MHM