Re: aaa authorization config

ZogoHUN01 · ‎03-27-2019

Dear Friends,

Can somebody explain me clearly what will make this config?

aaa new-model
 aaa authorization command 15 group tacacs+ none
 no aaa authorization config-commands

What will be the result when a user step into this device?

balaji.bandi · ‎03-27-2019

here is some example behaviours :

http://www.dslreports.com/faq/9815

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Josiane de Barros Silva · ‎04-01-2019

Hi

ZogoHUN01

command to create a new TACACS authentication template.
Authorization has been defined with level 15 and the group tacacs this as (none) is not being assigned to any group.
EXAMPLE:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs + local
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
tacacs-server host 10.1.1.1
tacacs-server key cisco123

Best Regards,

Josiane

Twitter:@securegirlninja

ZogoHUN01 · ‎04-02-2019

Please read my answer which I wrote to Mike

Mike.Cifelli · ‎04-02-2019

Are you using ISE? If you are you can configure shell profiles to push priv authorization to end users. If not, here are two examples of aaa authorization commands that will yield different priv results:

aaa authorization commands 1 group tacacs+ local (priv 1)
aaa authorization commands 15 group tacacs+ local (priv 15)

Using ISE to push shell profile aaa config example:

aaa authorization network group tacacs+ local
aaa authorization configuration group tacacs+ local

Note that the aaa statements are subject to change based on if you use named groups, etc. HTH!

ZogoHUN01 · ‎04-02-2019

Thanks for your responses!

Isn't there a contradiction between the two authorization commands?

The first row gives full warrant while the second row only permits config commands?

I think the order of these commands important!
So, as a result, we have only permit for config commands at the end.

Am I right?

Josiane de Barros Silva · ‎04-02-2019

Hi @ZogoHUN01

Other Example:

1- Create a local user with full privilege for fallback with the username command as shown here.

username cisco privilege 15 password cisco

2. Enable aaa new-model. Define TACACS server ISE, and place it in the group ISE_GROUP.
aaa new-model
tacacs server ISE
address ipv4 10.48.17.88
key cisco
aaa group server tacacs+ ISE_GROUP
server name ISE

3-Test the TACACS server reachability with the test aaa command as shown.

Router#test aaa group tacacs+ admin Krakow123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

4. Configure login and enable authentications and then use the exec and command authorizations as shown.

aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands

Rule applied to a vty
4. Configure login and enable authentications and then use the exec and command authorizations as shown.
line vty 0 4
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA

Josiane de Barros Silva · ‎04-04-2019

Hi @ZogoHUN01 
Did I get to answer your question?