03-27-2019 02:12 AM
Dear Friends,
Can somebody explain me clearly what will make this config?
aaa new-model aaa authorization command 15 group tacacs+ none no aaa authorization config-commands
What will be the result when a user step into this device?
03-27-2019 06:49 AM
04-01-2019 06:20 PM
Hi
command to create a new TACACS authentication template.
Authorization has been defined with level 15 and the group tacacs this as (none) is not being assigned to any group.
EXAMPLE:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs + local
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
tacacs-server host 10.1.1.1
tacacs-server key cisco123
Best Regards,
Josiane
Twitter:@securegirlninja
04-02-2019 12:27 PM - edited 04-02-2019 12:30 PM
Please read my answer which I wrote to Mike
04-02-2019 08:15 AM
04-02-2019 12:29 PM
Thanks for your responses!
Isn't there a contradiction between the two authorization commands?
The first row gives full warrant while the second row only permits config commands?
I think the order of these commands important!
So, as a result, we have only permit for config commands at the end.
Am I right?
04-02-2019 02:02 PM
Hi @ZogoHUN01
Other Example:
1- Create a local user with full privilege for fallback with the username command as shown here.
username cisco privilege 15 password cisco
2. Enable aaa new-model. Define TACACS server ISE, and place it in the group ISE_GROUP.
aaa new-model
tacacs server ISE
address ipv4 10.48.17.88
key cisco
aaa group server tacacs+ ISE_GROUP
server name ISE
3-Test the TACACS server reachability with the test aaa command as shown.
Router#test aaa group tacacs+ admin Krakow123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
4. Configure login and enable authentications and then use the exec and command authorizations as shown.
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands
Rule applied to a vty
4. Configure login and enable authentications and then use the exec and command authorizations as shown.
line vty 0 4
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA
04-04-2019 05:57 AM
Hi @ZogoHUN01
Did I get to answer your question?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide