07-08-2018 01:56 AM - edited 02-21-2020 11:00 AM
Hello eveyone
Here is a simple configuration of TACACS+ . Authentication is ok, enable password is checked, but after entering to Privilege mode (Router#) there is a problem with authorization. logged in user can perform allllll commands :) :
aaa new-model
aaa authentication login TEST group tacacs+
aaa authorization enable default group tacacs+
aaa authorization exec TEST group tacacs+
aaa authorization network TEST group tacacs+
line vty 0 4
login authentication TEST
authorization exec TEST
I tried to deny all commands on TACACS+ server but ...
May I have your ideas please?
Solved! Go to Solution.
07-08-2018 04:58 AM - edited 07-08-2018 04:59 AM
Hi
You're missing some aaa statements to ask the device to check all commands typed in by a user against tacacs:
aaa authorization config-commands
aaa authorization commands 1 TEST group default local if-authenticated
aaa authorization commands 0 TEST group default local if-authenticated
aaa authorization commands 15 TEST group default local if-authenticated
!
line vty 0 15
authorization commands 1 TEST
authorization commands 0 TEST
authorization commands 15 TEST
Here a complete doc: https://communities.cisco.com/servlet/JiveServlet/downloadBody/68194-102-1-125121/How-To_TACACS_for_IOS.pdf
07-09-2018 10:16 PM - edited 07-09-2018 10:24 PM
Hi Ferancesco
Thanks for replying.
aaa authorization config-commands was forgotten
07-08-2018 04:58 AM - edited 07-08-2018 04:59 AM
Hi
You're missing some aaa statements to ask the device to check all commands typed in by a user against tacacs:
aaa authorization config-commands
aaa authorization commands 1 TEST group default local if-authenticated
aaa authorization commands 0 TEST group default local if-authenticated
aaa authorization commands 15 TEST group default local if-authenticated
!
line vty 0 15
authorization commands 1 TEST
authorization commands 0 TEST
authorization commands 15 TEST
Here a complete doc: https://communities.cisco.com/servlet/JiveServlet/downloadBody/68194-102-1-125121/How-To_TACACS_for_IOS.pdf
07-09-2018 10:16 PM - edited 07-09-2018 10:24 PM
Hi Ferancesco
Thanks for replying.
aaa authorization config-commands was forgotten
07-10-2018 05:53 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide