cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3006
Views
10
Helpful
7
Replies

aaa authorization config

ZogoHUN01
Level 1
Level 1

Dear Friends,

Can somebody explain me clearly what will make this config? 

aaa new-model
 aaa authorization command 15 group tacacs+ none
 no aaa authorization config-commands

What will be the result when a user step into this device? 

 

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

here is some example behaviours :

 

http://www.dslreports.com/faq/9815

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi

ZogoHUN01

command to create a new TACACS authentication template.
Authorization has been defined with level 15 and the group tacacs this as (none) is not being assigned to any group.
EXAMPLE:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs + local
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
tacacs-server host 10.1.1.1
tacacs-server key cisco123

 

Best Regards,

Josiane 

Twitter:@securegirlninja

Please read my answer which I wrote to Mike

 

Mike.Cifelli
VIP Alumni
VIP Alumni
Are you using ISE? If you are you can configure shell profiles to push priv authorization to end users. If not, here are two examples of aaa authorization commands that will yield different priv results:

aaa authorization commands 1 group tacacs+ local (priv 1)
aaa authorization commands 15 group tacacs+ local (priv 15)

Using ISE to push shell profile aaa config example:

aaa authorization network group tacacs+ local
aaa authorization configuration group tacacs+ local

Note that the aaa statements are subject to change based on if you use named groups, etc. HTH!

Thanks for your responses!

Isn't there a contradiction between the two authorization commands?

The first row gives full warrant while the second row only permits config commands?

I think the order of these commands important!
So, as a result, we have only permit for config commands at the end.

Am I right?

Hi @ZogoHUN01 

 

Other Example:

1- Create a local user with full privilege for fallback with the username command as shown here.

username cisco privilege 15 password cisco

2. Enable aaa new-model. Define TACACS server ISE, and place it in the group ISE_GROUP.
aaa new-model
tacacs server ISE
address ipv4 10.48.17.88
key cisco
aaa group server tacacs+ ISE_GROUP
server name ISE

3-Test the TACACS server reachability with the test aaa command as shown.

Router#test aaa group tacacs+ admin Krakow123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

4. Configure login and enable authentications and then use the exec and command authorizations as shown.

aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands


Rule applied to a vty
4. Configure login and enable authentications and then use the exec and command authorizations as shown.
line vty 0 4
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA

Hi @ZogoHUN01 
Did I get to answer your question?