Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2251
Views
5
Helpful
3
Replies

ACS - Shell Command Authorization Set

Go to solution
eng.malak
Level 1
Level 1

‎06-23-2012 10:04 AM - edited ‎03-10-2019 07:13 PM

Hi

i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below

privilege exec level 5 show ip route

aaa authorization commands 5 TELNET group tacacs+

aaa authorization exec TELNET group tacacs+

aaa authentication login TAC group tacacs+

tacacs-server host 10.0.0.100 key ccie-acs
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO

line vty 0 4
  password cisco
  authorization commands 5 TELNET
  authorization exec TELNET
  login authentication TAC

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-23-2012 10:33 AM

You should use standard command authorization config on the device. The command level of show ip route you modified that is actually local to device. In your case we are testing it with tacacs.

aaa new-model
aaa authorization config-commands
aaa authorization commands 0 TELNET  group tacacs+ local
aaa authorization commands 1 TELNET  group tacacs+ local
aaa authorization commands 15 TELNET group tacacs+ local

Try with this and see how it goes.

Regards,

Jatin

~Jatin

View solution in original post

3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-23-2012 10:33 AM

You should use standard command authorization config on the device. The command level of show ip route you modified that is actually local to device. In your case we are testing it with tacacs.

aaa new-model
aaa authorization config-commands
aaa authorization commands 0 TELNET  group tacacs+ local
aaa authorization commands 1 TELNET  group tacacs+ local
aaa authorization commands 15 TELNET group tacacs+ local

Try with this and see how it goes.

Regards,

Jatin

~Jatin

Go to solution
eng.malak
Level 1
Level 1
In response to Jatin Katyal

‎06-24-2012 12:35 PM

Thanks Jatin it worked as you advised , but when i really need to define extra level , what tweaks or advanced secnario may require that ?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to eng.malak

‎06-24-2012 01:10 PM

By default, there are three command levels on the router:

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.

    privilege level 15 — Includes all enable-level commands at the router# prompt.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents