This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi Everyone,
This is my first post. And im not quite sure if this is the right place so here it is
I have several cisco devices and i want my colleauges to have a limited access to it wherein they're only allowed specific commands. So I put up an ACS 4.2 in place with user authenticated against active directory accounts.
Im done with the authentication part, and its perfectly working (i guess). I create three user group where i can attached a comman authorization sets
Shell command autorization sets
GROUP-80
Allow commands (the rest are deny)
show *
enable *
configure *
end *
exit *
GROUP-90
Deny commands
clear configuration *
username *
no username *
tacacs-server *
no tacacs-server *
aaa *
no aaa *
line *
no line *
GROUP-100
Allow all
IOS Configuration
aaa new-model
aaa authentication login default local
aaa authentication login THEN1 group tacacs+ local
aaa authorization exec THOR1 group tacacs+ local
aaa session-id common
aaa authentication login THEN1 group tacacs+ local
aaa authorization exec THOR1 group tacacs+ local
tacacs-server host 172.16.8.115 single-connection
tacacs-server host 172.16.8.112 single-connection
tacacs-server key 7 0300520C0F1B204F4F0A0A54
line vty 0 4
access-class 50 in
privilege level 15
authorization exec THOR1
login authentication THEN1
transport input ssh
Solved! Go to Solution.
Use this command on your router/switch
aaa authorization config-commands
http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530
Sent from Cisco Technical Support iPad App
What is you question?
Sent from Cisco Technical Support iPad App
ow im sorry.. i forgot
how would i accomplish these via acs?
three groups. group 100, 90 and 80
group 100 - allow all commands
group 90 - allow all except these below commands ( * - any arguments) including all group-80 commands
clear configuration *
username *
no username *
tacacs-server *
no tacacs-server *
aaa *
no aaa *
line *
no line *
group 80 - allow only below commands
show *
enable *
configure *
end
exit
In my initial post is the IOS configuration of my routers/switches. Attached the group-90 shell command authorization set from ACS
Eventhough the user is at group-90, all of the commands are still being accepted by the device
Here's the debug from the console while I successfully login using a group-90 user account and typed "no tacacs-server...". Im expecting my commands will not be permitted but i was still able to execute it
Jul 16 11:49:59.502: %SSH-5-SSH2_USERAUTH: User 'sdesk' authentication for SSH2 Session from 172.16.11.225 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded
Jul 16 11:49:59.510: TPLUS: Queuing AAA Authorization request 16475 for processing
Jul 16 11:49:59.510: TPLUS: processing authorization request id 16475
Jul 16 11:49:59.510: TPLUS: Protocol set to None .....Skipping
Jul 16 11:49:59.510: TPLUS: Sending AV service=shell
Jul 16 11:49:59.510: TPLUS: Sending AV cmd*
Jul 16 11:49:59.510: TPLUS: Authorization request created for 16475(sdesk)
Jul 16 11:49:59.510: TPLUS: using previously set server 172.16.8.115 from group tacacs+
Jul 16 11:49:59.510: TPLUS(0000405B)/0/IDLE/662A3E14: got immediate connect on new 0
Jul 16 11:49:59.510: TPLUS(0000405B)/0/WRITE/662A3E14: Started 5 sec timeout
Jul 16 11:49:59.514: TPLUS(0000405B)/0/WRITE: wrote entire 63 bytes request
Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 12 header bytes (expect 6 bytes)
Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 18 bytes response
Jul 16 11:49:59.994: TPLUS(0000405B)/0/662A3E14: Processing the reply packet
Jul 16 11:49:59.994: TPLUS: received authorization response for 16475: PASS
It'll be greatly appreciated if you could help me figure this out
Thanks in advance...
Use this command on your router/switch
aaa authorization config-commands
http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530
Sent from Cisco Technical Support iPad App
Thanks Abdullah for the link
But it took me quite a while before i could correctly figure the sets of commands
Really appreciate your help
And for those of you who have the same case, here's a quick template you that you can follow