Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

ACS 4.2 Command Authorization

Go to solution
Jon Eyes
Beginner
Beginner

‎07-16-2012 01:08 AM - edited ‎03-10-2019 07:18 PM

Hi Everyone,

This is my first post. And im not quite sure if this is the right place so here it is

I have several cisco devices and i want my colleauges to have a limited access to it wherein they're only allowed specific commands. So I put up an ACS 4.2 in place with user authenticated against active directory accounts.

Im done with the authentication part, and its perfectly working (i guess). I create three user group where i can attached a comman authorization sets

Shell command autorization sets

GROUP-80

Allow commands (the rest are deny)

show *

enable *

configure *

end *

exit *

GROUP-90

Deny commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

GROUP-100

Allow all

IOS Configuration

aaa new-model

aaa authentication login default local

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

aaa session-id common

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

tacacs-server host 172.16.8.115 single-connection

tacacs-server host 172.16.8.112 single-connection

tacacs-server key 7 0300520C0F1B204F4F0A0A54

line vty 0 4

access-class 50 in

privilege level 15

authorization exec THOR1

login authentication THEN1

transport input ssh

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Amjad Abdullah
Engager
Engager
In response to Jon Eyes

‎07-16-2012 06:01 AM

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
4 REPLIES 4

Go to solution
Amjad Abdullah
Engager
Engager

‎07-16-2012 04:24 AM

What is you question?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Jon Eyes
Beginner
Beginner
In response to Amjad Abdullah

‎07-16-2012 04:55 AM

ow im sorry.. i forgot

how would i accomplish these via acs?

three groups. group 100, 90 and 80

group 100 - allow all commands

group 90 - allow all except these below commands ( * - any arguments) including all group-80 commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

group 80 - allow only below commands

show *

enable *

configure *

end

exit

In my initial post is the IOS configuration of my routers/switches. Attached the group-90 shell command authorization set from ACS

Eventhough the user is at group-90, all of the commands are still being accepted by the device

Here's the debug from the console while I successfully login using a group-90 user account and typed "no tacacs-server...". Im expecting my commands will not be permitted but i was still able to execute it

Jul 16 11:49:59.502: %SSH-5-SSH2_USERAUTH: User 'sdesk' authentication for SSH2 Session from 172.16.11.225 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

Jul 16 11:49:59.510: TPLUS: Queuing AAA Authorization request 16475 for processing

Jul 16 11:49:59.510: TPLUS: processing authorization request id 16475

Jul 16 11:49:59.510: TPLUS: Protocol set to None .....Skipping

Jul 16 11:49:59.510: TPLUS: Sending AV service=shell

Jul 16 11:49:59.510: TPLUS: Sending AV cmd*

Jul 16 11:49:59.510: TPLUS: Authorization request created for 16475(sdesk)

Jul 16 11:49:59.510: TPLUS: using previously set server 172.16.8.115 from group tacacs+

Jul 16 11:49:59.510: TPLUS(0000405B)/0/IDLE/662A3E14: got immediate connect on new 0

Jul 16 11:49:59.510: TPLUS(0000405B)/0/WRITE/662A3E14: Started 5 sec timeout

Jul 16 11:49:59.514: TPLUS(0000405B)/0/WRITE: wrote entire 63 bytes request

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 12 header bytes (expect 6 bytes)

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 18 bytes response

Jul 16 11:49:59.994: TPLUS(0000405B)/0/662A3E14: Processing the reply packet

Jul 16 11:49:59.994: TPLUS: received authorization response for 16475: PASS

It'll be greatly appreciated if you could help me figure this out

Thanks in advance...

0 Helpful

Go to solution
Amjad Abdullah
Engager
Engager
In response to Jon Eyes

‎07-16-2012 06:01 AM

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Jon Eyes
Beginner
Beginner
In response to Amjad Abdullah

‎08-29-2012 09:17 PM

Thanks Abdullah for the link

But it took me quite a while before i could correctly figure the sets of commands

Really appreciate your help

And for those of you who have the same case, here's a quick template you that you can follow

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents