02-09-2011 01:17 AM - edited 03-10-2019 05:48 PM
Hi
I am facing problem related to command set authorization. We want to restrict only “show running-config” to the one group called netadmin, all other commands including “show *” should be denied.
I created on user (netadmin) on local and also created on identity group (netadmin) and joined the user to netadmin identity group.
I configured the shell level privilege 15 and configured the command set authorization and applied on identity group through.
Command setis as follow.
-----------------
Grant command argument
Permit show running-config
----------------------------
Problem is netadmin user is able to run all show command, we want him to run only one command “show running-config”.
He is not able to run “config t” and giving message “authorization failed”
Regards,
Vashdev
Solved! Go to Solution.
02-09-2011 03:09 AM
Before you troubleshoot this issue make sure that you've standard command authorization on the switch.
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
You are missing the below listed commandaaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
After that try again and see what you see in ACS failed attempts?
Rgds, Jatin
Do rate helpful posts~
02-09-2011 01:50 AM
Command set is bit incorrect. It should look like;
Grant Command Argument
Show permit running-config
You may look at the below listed example
Rgds, Jatin
Do rate helpful posts~
02-09-2011 01:59 AM
I already tried permit word inside the argument, followed the same document which you mentioned but it’s not working.
02-09-2011 02:40 AM
What do you see in the failed attempts?
Also, paste the output of the command, show run | in aaa
run th debugs on the device
debug tacacs
debug aaa authen
debug aaa author
Rgds, Jatin
Do rate helpful posts-~
02-09-2011 03:01 AM
Hi
Here is the AAA configuration of switch. now i don't have the access to switch to get the debug. as soon as i get the access i will collect the debug and post it.
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec CONSOLE if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
02-09-2011 03:09 AM
Before you troubleshoot this issue make sure that you've standard command authorization on the switch.
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
You are missing the below listed commandaaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
After that try again and see what you see in ACS failed attempts?
Rgds, Jatin
Do rate helpful posts~
02-09-2011 04:55 AM
Hi Jatin,
After applying the suggested aaa configuration on switch it working fine.
thx for your support
Regards,
Vashdev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide