cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2388
Views
0
Helpful
2
Replies

ACS 4.2 Shell Command Authorization Set permissions

nathan demers
Level 1
Level 1

I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE.  I dont know. 

Topic:  Implementing (permitting) subcommands under an Authorization Set.

This was somehwat difficult for me to get working for the final step that I wanted.  That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet.  Reasoning being is all Gigabit ports are reserved for trunking.

How I was able to solve this issue.

SWITCH

Previous AAA settings on 3750 switch

aaa new-model

aaa group server tacacs+ CSACS

aaa authentication login default group CSACS local

aaa authentication enable default group CSACS enable

aaa authorization exec default group CSACS local

aaa authorization commands 15 default group CSACS local

aaa accounting commands 15 default start-stop group CSACS

aaa session-id common

Added command on switch

aaa authorization config-commands

     This allows you to specify individual commands (to my understanding).

ACS

Shell Command Authorization Set

If you want to allow fastethernet and deny gigabitethernet then do the following

COMMAND

interface

ARGUMENT

permit FasEthernet  (case-sensitive!!!!!!)

To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk.

COMMAND

switchport

ARGUMENT

deny mode trunk

permit mode access

permit access  vlan

Items to consider:

1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.)

2. shell exec needs to be turned on for user and group

3. The five ITEMS in 4.2 that you need to look at.

User Setup

Advanced TACACS+ Settings

TACACS+ Enable Password

Shell (exec)  (RIGHT ABOVE ---->  Shell Command Authorization Set)

Shell Command Authorization Set

Good luck.



2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

Thanks for sharing your findings. It would be great if you can add a screen shot of the shared profile component > command authorization set. It would surely help community users to understand it better.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Thanks for the post.  I'm have a similar requirement using Secure ACS 5.4.  Configuration on the switch:

aaa group server tacacs+ CISCOACS

  server 1.2.3.4

  server 5.6.7.8

!

aaa authentication login default group CISCOACS local

aaa authentication enable default group CISCOACS none

aaa authorization config-commands

aaa authorization exec default group CISCOACS local

aaa authorization commands 15 default group CISCOACS local

aaa accounting exec default start-stop group CISCOACS

aaa accounting commands 15 default start-stop group CISCOACS

In ACS, I want to let a certain class of users change the vlan for Gigabit ports, but not 10GB.  I first create this command set:

Then I add a line to the Device Admin authorization policy: