Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
10
Helpful
3
Replies

AAA authentication and Authorization

Go to solution
salemmahara
Level 3
Level 3

‎07-08-2018 01:56 AM - edited ‎02-21-2020 11:00 AM

Hello eveyone

Here is a simple configuration of TACACS+ . Authentication is ok, enable password is checked, but after entering to Privilege mode (Router#) there is a problem with authorization. logged in user can perform allllll commands :) :

 

aaa new-model

aaa authentication login TEST group tacacs+

aaa authorization enable default group tacacs+

aaa authorization exec TEST group tacacs+

aaa authorization network TEST group tacacs+

 

line vty 0 4

login authentication TEST

authorization exec TEST

 

I tried to deny all commands on TACACS+ server but ...

May I have your ideas please?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-08-2018 04:58 AM - edited ‎07-08-2018 04:59 AM

Hi

 

You're missing some aaa statements to ask the device to check all commands typed in by a user against tacacs:

 

aaa authorization config-commands

aaa authorization commands 1 TEST group default local if-authenticated

aaa authorization commands 0 TEST group default local if-authenticated

aaa authorization commands 15 TEST group default local if-authenticated

!

line vty 0 15

 authorization commands 1 TEST

 authorization commands 0 TEST

 authorization commands 15 TEST

 

Here a complete doc: https://communities.cisco.com/servlet/JiveServlet/downloadBody/68194-102-1-125121/How-To_TACACS_for_IOS.pdf


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
salemmahara
Level 3
Level 3
In response to Francesco Molino

‎07-09-2018 10:16 PM - edited ‎07-09-2018 10:24 PM

Hi Ferancesco

Thanks for replying.

aaa authorization config-commands was forgotten

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-08-2018 04:58 AM - edited ‎07-08-2018 04:59 AM

Hi

 

You're missing some aaa statements to ask the device to check all commands typed in by a user against tacacs:

 

aaa authorization config-commands

aaa authorization commands 1 TEST group default local if-authenticated

aaa authorization commands 0 TEST group default local if-authenticated

aaa authorization commands 15 TEST group default local if-authenticated

!

line vty 0 15

 authorization commands 1 TEST

 authorization commands 0 TEST

 authorization commands 15 TEST

 

Here a complete doc: https://communities.cisco.com/servlet/JiveServlet/downloadBody/68194-102-1-125121/How-To_TACACS_for_IOS.pdf


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
salemmahara
Level 3
Level 3
In response to Francesco Molino

‎07-09-2018 10:16 PM - edited ‎07-09-2018 10:24 PM

Hi Ferancesco

Thanks for replying.

aaa authorization config-commands was forgotten

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to salemmahara

‎07-10-2018 05:53 PM

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents