10-07-2013 01:00 PM - edited 03-10-2019 08:58 PM
I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE. I dont know.
Topic: Implementing (permitting) subcommands under an Authorization Set.
This was somehwat difficult for me to get working for the final step that I wanted. That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet. Reasoning being is all Gigabit ports are reserved for trunking.
How I was able to solve this issue.
SWITCH
Previous AAA settings on 3750 switch
aaa new-model
aaa group server tacacs+ CSACS
aaa authentication login default group CSACS local
aaa authentication enable default group CSACS enable
aaa authorization exec default group CSACS local
aaa authorization commands 15 default group CSACS local
aaa accounting commands 15 default start-stop group CSACS
aaa session-id common
Added command on switch
aaa authorization config-commands
This allows you to specify individual commands (to my understanding).
ACS
Shell Command Authorization Set
If you want to allow fastethernet and deny gigabitethernet then do the following
COMMAND
interface
ARGUMENT
permit FasEthernet (case-sensitive!!!!!!)
To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk.
COMMAND
switchport
ARGUMENT
deny mode trunk
permit mode access
permit access vlan
Items to consider:
1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.)
2. shell exec needs to be turned on for user and group
3. The five ITEMS in 4.2 that you need to look at.
User Setup
Advanced TACACS+ Settings
TACACS+ Enable Password
Shell (exec) (RIGHT ABOVE ----> Shell Command Authorization Set)
Shell Command Authorization Set
Good luck.
10-08-2013 01:12 AM
Thanks for sharing your findings. It would be great if you can add a screen shot of the shared profile component > command authorization set. It would surely help community users to understand it better.
~BR
Jatin Katyal
**Do rate helpful posts**
11-08-2013 11:52 AM
Thanks for the post. I'm have a similar requirement using Secure ACS 5.4. Configuration on the switch:
aaa group server tacacs+ CISCOACS
server 1.2.3.4
server 5.6.7.8
!
aaa authentication login default group CISCOACS local
aaa authentication enable default group CISCOACS none
aaa authorization config-commands
aaa authorization exec default group CISCOACS local
aaa authorization commands 15 default group CISCOACS local
aaa accounting exec default start-stop group CISCOACS
aaa accounting commands 15 default start-stop group CISCOACS
In ACS, I want to let a certain class of users change the vlan for Gigabit ports, but not 10GB. I first create this command set:
Then I add a line to the Device Admin authorization policy:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide