10-25-2013 06:55 AM - edited 03-10-2019 09:02 PM
I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.
What I have so far on the switch is
enable secret 5 removed
username admin privilege 15 password 7 removed
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
The local admin logins in perfectly fine when the switch is not connected to the network.
When I connect the switch to the network and login using my AD credentials it works a treat.
When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below
% Error in authentication.
.Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console
I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.
I'm at a loss to know why this isn't work so any help would be much appreciated.
Thanks
Jon
10-25-2013 07:52 AM
what error do you see on ACS 4.1 > reports and activity > failed attempt.
~BR
Jatin Katyal
**Do rate helpful posts**
10-25-2013 07:59 AM
The error ACS is reporting is User exceeded max sessions
Checked max session for the group and they're set at unlimited.
10-25-2013 08:12 AM
Please make sure we have nothing configured on the user level because user settings always take precedence over group. Also, please post the screen shot of max session settings from group level.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 01:14 AM
See below group and user Max session settings.
10-28-2013 01:43 AM
The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.
You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.
Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.
You would see few examples of read-only access and read-write access.
You may also let me know what all command you would like to allow for read-only access.
Please feel free to let me know if you need any further assistance.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 02:46 AM
I flattened the aaa config on the switch and started from scratch on the ACS and configured both as per the Cisco doc you shared with the addition of the aaa authentication login default group tacacs+ local.
When I came to the user config it asks to assign the command authorisation set at the user level as well as the group level, I don't have the option within ACS to assign any command authorisation sets at the user leve.
When I tested the config by logging in with the restrictive access account it didn't restrict any of the commands and allowed everything.
Thanks
10-28-2013 02:53 AM
In order to assign shell command authorization on the user level, please check the option under interface configuration > Tacacs+ (Cisco) > Check Shell (exec) under user as well.
To verify why it's not restricting the user with read-only access, please post the output of
show run | in aaa
I need to see if you have command authorization configured correctly.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 02:59 AM
see below aaa output
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
10-28-2013 03:01 AM
Seems fine. Can you show me how you have created restricted command set on ACS and where we have applied.
If that would look good, we will fetch the following debugs
debug tacacs+
debug aaa authentication
debug aaa authorization
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 03:07 AM
User
Group
10-28-2013 03:12 AM
that looks good too
What all have you tried in your testing? Can you pick any example that shouldn't work for you and it's working.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 03:34 AM
I've logged in the a test account called admin which is part of the Restrict Access group and the users configured for the command set as well.
When I've logged in I've done the following commands
conf t
interface fa0/3
duplex full
which have all worked.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide