Solved: ACS 5.2 commands Authorization - Page 2

Dmitry Samko · ‎05-10-2011

Greetings!

Have a conceptual question bout CLI command authorization. We have ASC 5.2 up and running, providing AAA services for network devices. Now I need to make profiles for users in certain group to restrict dem CLI "rights" to show, clear counters and show running-config commands. Could you please provide me link to some workflow I need to accomplish dis task. For example:

I should clrete separate privillege levele profile (let it be 2), specify commands at this level, assign Group this Authorization Prifile and make some additional changes in my devices (I meen "aaa authorization...." commands). Appreciate any link to documentation or live examples. Give Thanks!

Jah Rastafari bless & protect you I

Nicolas Darchis · ‎05-16-2011

then show run is not available at privilege level 2 ?

This goes too detailed on the switch for me to give assured advices. But if the request is not coming to ACS, don't bother wondering about yoru command set, check the switch itself

Dmitry Samko · ‎05-16-2011

Allright, so could you please tell me what minimal Priv Level allow show running-config?

Nicolas Darchis · ‎05-16-2011

My sentence "This goes too detailed on the switch for me to give assured advices" was a kind way of saying "I don't know, don't ask me"

Alejandro Ruiz · ‎05-16-2011

Sorry everyone for interrupting this thread in this way.

I created the thread "Cisco ACS 5.2 and Role-base CLI views", but no one has replied in regards to the problem that am having.

As the thread on this topic seems similar to the topic on my thread,I believe that someone may have the knowledge to give me some directions.

Thanks in advance, and I apologize again for this interruption.

Alejandro.

Nicolas Darchis · ‎05-16-2011

Alejandro, I don't think there is any role or privilege or command authorization for ACS cli user.

Alejandro Ruiz · ‎05-16-2011

Thanks Nicholas for your reply.

But I am sure there is, you could definitively do this with ACS 4.2, associating the user with the cli-view-name attribute, which I have done on ACS 5.2 but it does not seem to work.

Thanks again.

Alejandro Ruiz · ‎05-16-2011

In fact if you see my debug tacacs authorization ouput, it seems that it is sending the right information:

May 17 06:46:51.869: TPLUS: Queuing AAA Authorization request 126 for processing
May 17 06:46:51.869: TPLUS: processing authorization request id 126
May 17 06:46:51.869: TPLUS: Protocol set to None .....Skipping
May 17 06:46:51.869: TPLUS: Sending AV service=shell
May 17 06:46:51.869: TPLUS: Sending AV cmd*
May 17 06:46:51.869: TPLUS: Authorization request created for 126(cenetad)
May 17 06:46:51.869: TPLUS: using previously set server 10.3.3.4 from group tacacs+
May 17 06:46:51.869: TPLUS(0000007E)/0/NB_WAIT/3640044: Started 5 sec timeout
May 17 06:46:51.877: TPLUS(0000007E)/0/NB_WAIT: socket event 2
May 17 06:46:51.877: TPLUS(0000007E)/0/NB_WAIT: wrote entire 59 bytes request
May 17 06:46:51.877: TPLUS(0000007E)/0/READ: socket event 1
May 17 06:46:51.877: TPLUS(0000007E)/0/READ: Would block while reading
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: socket event 1
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: read entire 12 header bytes (expect 60 bytes data)
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: socket event 1
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: read entire 72 bytes response
May 17 06:46:51.886: TPLUS(0000007E)/0/3640044: Processing the reply packet
May 17 06:46:51.886: TPLUS: Processed AV cli-view-name=admin
May 17 06:46:51.886: TPLUS: Processed AV priv-lvl=15
May 17 06:46:51.886: TPLUS: received authorization response for 126: PASS

However, what I am not seeing in this output is something like this:

AAA/AUTHOR/EXEC(00000075): AV cli-view-name=admin

CET: AAA/AUTHOR/EXEC(00000075): processing AV priv-lvl=15

CET: AAA/AUTHOR/EXEC(00000075): Authorization successful

To go even further and being totally honest I made it work once, I just did not know how, and I deleted some stuff on my config (not knowing what or the order, because I did not document it ) since that moment I have not been able to make it work again.

Thanks for any ideas that you can provide.

Alejandro

Nicolas Darchis · ‎05-17-2011

That's interesting. I was not aware of that !

I'll give it a shot if I have 10 minutes in the lab.

Nicolas Darchis · ‎05-17-2011

How do you authorize the ACS CLI users ? Where did you get this tacacs debug output ???

Nicolas Darchis · ‎05-17-2011

My bad. I totally missed your original question. I thought you wanted to give views to ACS CLI users.

The confusion came from the fact that you didn't mention what was the aaa client ...

Apologies for what I said so far then, I was understanding sth else

Alejandro Ruiz · ‎05-17-2011

Hi Nicholas,

Sorry if I was not clear the first time.

What I want is to associate a role-base CLI view created in my AAA client to a user created in the ACS server. In that way when a user logs in into the AAA client, authenticates with the ACS server and then he/she is put into the right view and can only run the commands specified for that view.

The debug AAA output is from my AAA client.

This is totally driving me crazy, thanks for any help.

Thanks,

Alejandro

zhenningx · ‎05-17-2011

Hi Dmitry,

"show run" is available to privilege level 15 by default. By default, only a small number of commands are available to privilege 0 and 1. Also by default privilege levels 2-14 have the same available commands as level 1. If you work on privilege level 2, you need assign commands to the privilege level first by using "privilege exec level 2 show run" command. If the command is not available in the user's privilege level, the switch won't ask ACS for command authorization.

This link helps understand privilege levels better:

http://www.techrepublic.com/article/understand-the-levels-of-privilege-in-the-cisco-ios/5659259

Zhenning