cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16236
Views
25
Helpful
13
Replies

ACS Read Only Device Access

dtom
Level 1
Level 1

We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers.  Here is what we did:

1) Created a user in ACS

2) Create Shell command Autorization Set - ReadOnly

          Unmatched Commands - Deny

          Commands Added

               show

               exit

          * this should limit the user to the show and exit command only (correct)?

3) Created a group - HelpDesk with the following TACACS+ Settings

          Shell (exec) is checked

          Priviledge level is check with 15 as the assigned level

          Assign a Shell Command Authorization Set for any network device - selected

          ReadOnly - shell command autorization set seleted

When the user logs on to the router/switch it appears that he has full access.  He can enter the enable command, config terminal command, etc.  All we want him to be able to do is to issue the show command.

Any help would be appreciated.

2 Accepted Solutions

Accepted Solutions

aneelaka
Level 1
Level 1

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

View solution in original post

you also need to add permit for exit and dir on the permit unmatched Args.

OR

You may check permit unmatched Args this option for exit and dir

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

13 Replies 13

aneelaka
Level 1
Level 1

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

Is there any way to give priviledge level 15 and deny write access (write command)?

Yes.

You can try this: Privilege for read-only access

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Jatin Katyal


- Do rate helpful posts -

~Jatin

I tried that and could not get it to work.

I tried the following:

- 1 -

Shell Command Authorization Set

Deny

Unmatched Commands - show

Permit Unmatched Args - checked

Enable Options

Max Privilege for any AAA client - 1

Tacacs+

Shell Command - checked

Privilege level - 1

With the above, the user did not have the ability to do sh run.  The user could not turn on privilege commands (enable) - access denied

- 2 -

Shell Command Authorization Set

Deny

Unmatched Commands - show

Permit Unmatched Args - checked

Enable Options

Max Privilege for any AAA client - 15

Tacacs+

Shell Command - checked

Privilege level - 15

With the above, the user had full read/write rights

Any other thoughts?

Dtom,

You need to give privilege 15 to both type of users. Now giving priv 15 does not mean that read-only user will be able to get full access. Command authorization work above privilege level.

Set enable and shell priv to 15

Rest your setting is all ok.

Regards,

~JG

Do rate helpful posts

I don't know what I am missing here.  When I give privilege 15 the user had full access.  Here is what I did:

- 1 -

Create Shell Command Autorization Sets - Read_Access

  Deny - checked

  Unmatched Commands - show

  Permit Unmatched Args - checked

- 2 - Create Group - HelpDesk

  Enable Options - Max Privlege for any AAA Client 15

  Shell (exec) - checked

  Shell Command Authorization Set - Assign a Shell Command Set for any network device- Read_Access

- 3 -  User Settings

  Group to which user is assigned HelpDesk

  TACACS+ Enable Control - Use Group Level Settings

  Shell Comand Authorization Set - As Group

Hi,

Are you sure you have this on the device (Switch/Router)?

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

If possible attach a screenshot of the configuration on ACS.

Rate if it helps

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Here is my switch AAA config:

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

Here are screen shots for a user - robin.hood

Hi,

As per your configuration:

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

All three lines have:

"defalt instead of default"

I am not sure if you just typed it wrong over here, if this is what you really have, then the IOS will consider this as the method list and will expect you to apply it on the vty or console lines (which is not mandatory, but it will not work until you apply it)

You have to use default, if you don't want method lists.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

What a dummy I am...typo.  I changed the commands and I was able to login and run the show run command.  However, I was not able to run exit and dir.  What am I missing here?  Here is a screen shot:

you also need to add permit for exit and dir on the permit unmatched Args.

OR

You may check permit unmatched Args this option for exit and dir

Jatin Katyal


- Do rate helpful posts -

~Jatin

That was it.  Thanks.

So, what is the easiest way to restrict a user to access only a certain device or certain subnet only?