cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
9243
Views
0
Helpful
26
Replies

ACS 5.2 commands Authorization

Dmitry Samko
Level 1
Level 1

Greetings!

Have a conceptual question bout CLI command authorization. We have ASC 5.2 up and running, providing AAA services for network devices. Now I need to make  profiles for users in certain group to restrict dem CLI "rights" to show, clear counters and show running-config commands. Could you please provide me link to some workflow I need to accomplish dis task. For example:

I should clrete separate privillege levele profile (let it be 2), specify commands at this level, assign Group this Authorization Prifile and make some additional changes in my devices (I meen "aaa authorization...." commands). Appreciate any link to documentation or live examples. Give Thanks!

Jah Rastafari bless & protect you I

26 Replies 26

then show run is not available at privilege level 2 ?

This goes too detailed on the switch for me to give assured advices. But if the request is not coming to ACS, don't bother wondering about yoru command set, check the switch itself

Allright, so could you please tell me what minimal Priv Level allow show running-config?

My sentence "This goes too detailed on the switch for me to give assured advices" was a kind way of saying "I don't know, don't ask me"

Sorry everyone for interrupting this thread in this way.

I created the thread "Cisco ACS 5.2 and Role-base CLI views", but no one has replied in regards to the problem that am having.

As the thread on this topic seems similar to the topic on my thread,I believe that someone may have the knowledge to give me some directions.

Thanks in advance, and I apologize again for this interruption.

Alejandro.

Alejandro, I don't think there is any role or privilege or command authorization for ACS cli user.

Thanks Nicholas for your reply.

But I am sure there is, you could definitively do this with ACS 4.2, associating the user with the cli-view-name attribute, which I have done on ACS 5.2 but it does not seem to work.

Thanks again.

In fact if you see my debug tacacs authorization ouput, it seems that it is sending the right information:

May 17 06:46:51.869: TPLUS: Queuing AAA Authorization request 126 for processing
May 17 06:46:51.869: TPLUS: processing authorization request id 126
May 17 06:46:51.869: TPLUS: Protocol set to None .....Skipping
May 17 06:46:51.869: TPLUS: Sending AV service=shell
May 17 06:46:51.869: TPLUS: Sending AV cmd*
May 17 06:46:51.869: TPLUS: Authorization request created for 126(cenetad)
May 17 06:46:51.869: TPLUS: using previously set server 10.3.3.4 from group tacacs+
May 17 06:46:51.869: TPLUS(0000007E)/0/NB_WAIT/3640044: Started 5 sec timeout
May 17 06:46:51.877: TPLUS(0000007E)/0/NB_WAIT: socket event 2
May 17 06:46:51.877: TPLUS(0000007E)/0/NB_WAIT: wrote entire 59 bytes request
May 17 06:46:51.877: TPLUS(0000007E)/0/READ: socket event 1
May 17 06:46:51.877: TPLUS(0000007E)/0/READ: Would block while reading
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: socket event 1
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: read entire 12 header bytes (expect 60 bytes data)
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: socket event 1
May 17 06:46:51.886: TPLUS(0000007E)/0/READ: read entire 72 bytes response
May 17 06:46:51.886: TPLUS(0000007E)/0/3640044: Processing the reply packet
May 17 06:46:51.886: TPLUS: Processed AV cli-view-name=admin                     
May 17 06:46:51.886: TPLUS: Processed AV priv-lvl=15
May 17 06:46:51.886: TPLUS: received authorization response for 126: PASS

However, what I am not seeing in this output is something like this:

AAA/AUTHOR/EXEC(00000075): AV cli-view-name=admin

CET: AAA/AUTHOR/EXEC(00000075): processing AV priv-lvl=15

CET: AAA/AUTHOR/EXEC(00000075): Authorization successful

To go even further and being totally honest I made it work once, I just did not know how, and I deleted some stuff on my config (not knowing what or the order, because I did not document it ) since that moment I have not been able to make it work again.

Thanks for any ideas that you can provide.

Alejandro

That's interesting. I was not aware of that !

I'll give it a shot if I have 10 minutes in the lab.

How do you authorize the ACS CLI users ? Where did you get this tacacs debug output ???

My bad. I totally missed your original question. I thought you wanted to give views to ACS CLI users.

The confusion came from the fact that you didn't mention what was the aaa client ...

Apologies for what I said so far then, I was understanding sth else

Hi Nicholas,

Sorry if I was not clear the first time.

What I want is to associate a role-base CLI view created in my AAA client to a user created in the ACS server. In that way when a user logs in into the AAA client, authenticates with the ACS server and then he/she is put into the right view and can only run the commands specified for that view.

The debug AAA output is from my AAA client.

This is totally driving me crazy, thanks for any help.

Thanks,

Alejandro

Hi Dmitry,

"show run" is available to privilege level 15 by default. By default, only a small number of commands are available to privilege 0 and 1. Also by default privilege levels 2-14 have the same available commands as level 1. If you work on privilege level 2, you need assign commands to the privilege level first by using "privilege exec level 2 show run" command. If the command is not available in the user's privilege level, the switch won't ask ACS for command authorization.

This link helps understand privilege levels better:

http://www.techrepublic.com/article/understand-the-levels-of-privilege-in-the-cisco-ios/5659259

Zhenning