Re: Cisco ACS 5.2 and Role-base CLI views

Alejandro Ruiz · ‎05-04-2011

Is there any way to link the Role-based CLI views created in the AAA client to the user created in the ACS 5.2 server? I know that you could do that in ACS 4.2 by using the “cli-view-name” attribute.

What I have in mind is to login with some user and that the ACS 5.2 server links this user with a view previously created in the AAA client:

This is what I would like to achieve:

view configured in the AAA client:

parser view DiData
secret 5 $1$jPNA$gr9o8gGNmWh9sk8Axbfx91
commands exec include copy running-config ftp
commands exec include copy running-config
commands exec include copy startup-config ftp
commands exec include copy startup-config
commands exec include copy
commands exec include all show

Login to the device using a user created on ACS 5.2 and linked to the above DiData view:

telnet xx.xx.xx.xx

username: cenetacs
password:

Router#?
Exec commands:
<1-99> Session number to resume
copy    Copy from one file to another
enable Turn on privileged commands
exit    Exit from the EXEC
show    Show running system information

Router#

Has anyone know how to achieve this?

Typing the command "enable view something" is not an option for us.

Thanks,

aleruri

Alejandro Ruiz · ‎05-04-2011

To those that saw my previous post, I have deleted it as it was not actually working as I expected.

The problem is that I can't make work the cli-role based configuration when I login into the switch with a user created in the ACS server.

When I telnet into the router using the "insite" user I got full privilege and I can run any command (as in privilege level 15).

This is my TACACS configuration in the AAA tacacs client:

aaa authentication login CE_TACACS group tacacs+ local
aaa authorization exec CE_TACACS group tacacs+

tacacs-server host 10.3.3.4 key 7 110A1C0B1206AAAA

line vty 0 4
exec-timeout 120 0
privilege level 15
authorization exec CE_TACACS
logging synchronous
login authentication CE_TACACS
transport input telnet ssh
transport output telnet ssh
line vty 5 14
exec-timeout 120 0
privilege level 15
authorization exec CE_TACACS
logging synchronous
login authentication CE_TACACS
transport input telnet ssh
transport output telnet ssh
line vty 15
exec-timeout 120 0
privilege level 15
authorization exec CE_TACACS
logging synchronous
login authentication CE_TACACS
transport input telnet ssh
transport output telnet ssh

And this is my view set up (Techsupp):

parser view Techsupp
secret 5 $1$ahhO$8fiyX/oLy4e4B9KQcav9o.
commands exec include show version
commands exec include show interfaces
commands exec include show running-config
commands exec include show

The AAA client is a WS-C2960G-24TC-L running the IOS Version 12.2(55)SE1, which is the latest for this device.

ACS configuration

AAA Device

Group

User

Shell profile

Command set (Which should not matter anyway)

Access service:

This is the output of the debug TACACS authentication and authorization:

SW_Energy_Wise#
*Mar 4 06:10:15.099: TPLUS: Queuing AAA Authentication request 93 for processing
*Mar 4 06:10:15.107: TPLUS: processing authentication start request id 93
*Mar 4 06:10:15.107: TPLUS: Authentication start packet created for 93()
*Mar 4 06:10:15.107: TPLUS: Using server 10.3.3.4
*Mar 4 06:10:15.107: TPLUS(0000005D)/0/NB_WAIT/350C910: Started 5 sec timeout
*Mar 4 06:10:15.107: TPLUS(0000005D)/0/NB_WAIT: socket event 2
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/NB_WAIT: wrote entire 33 bytes request
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/READ: Would block while reading
SW_Energy_Wise#
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/READ: read entire 28 bytes response
*Mar 4 06:10:15.116: TPLUS(0000005D)/0/350C910: Processing the reply packet
*Mar 4 06:10:15.116: TPLUS: Received authen response status GET_USER (7)
SW_Energy_Wise#
*Mar 4 06:10:18.656: TPLUS: Queuing AAA Authentication request 93 for processing
*Mar 4 06:10:18.656: TPLUS: processing authentication continue request id 93
*Mar 4 06:10:18.656: TPLUS: Authentication continue packet generated for 93
*Mar 4 06:10:18.656: TPLUS(0000005D)/0/WRITE/36364CC: Started 5 sec timeout
*Mar 4 06:10:18.656: TPLUS(0000005D)/0/WRITE: wrote entire 23 bytes request
*Mar 4 06:10:18.664: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:18.664: TPLUS(0000005D)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Mar 4 06:10:18.664: TPLUS(0000005D)/0/READ: socket event 1
SW_Energy_Wise#
*Mar 4 06:10:18.664: TPLUS(0000005D)/0/READ: read entire 28 bytes response
*Mar 4 06:10:18.664: TPLUS(0000005D)/0/36364CC: Processing the reply packet
*Mar 4 06:10:18.664: TPLUS: Received authen response status GET_PASSWORD (8)
SW_Energy_Wise#
*Mar 4 06:10:25.937: TPLUS: Queuing AAA Authentication request 93 for processing
*Mar 4 06:10:25.937: TPLUS: processing authentication continue request id 93
*Mar 4 06:10:25.937: TPLUS: Authentication continue packet generated for 93
*Mar 4 06:10:25.937: TPLUS(0000005D)/0/WRITE/36364CC: Started 5 sec timeout
*Mar 4 06:10:25.937: TPLUS(0000005D)/0/WRITE: wrote entire 25 bytes request
*Mar 4 06:10:25.945: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:25.945: TPLUS(0000005D)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Mar 4 06:10:25.945: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:25.945: TPLUS(0000005D)/0/READ: read entire 18 bytes response
*Mar 4 06:10:25.945: TPLUS(0000005D)/0/36364CC: Processing the reply packet
*Mar 4 06:10:25.945: TPLUS: Received authen response status PASS (2)
*Mar 4 06:10:25.945: TPLUS: Queuing AAA Authorization request 93 for processing
*Mar 4 06:10:25.945: TPLUS: processing authorization request id 93
*Mar 4 06:10:25.945: TPLUS: Protocol set to None .....Skipping
*Mar 4 06:10:25.945: TPLUS: Sending AV service=shell
*Mar 4 06:10:25.945: TPLUS: Sending AV cmd*
*Mar 4 06:10:25.945: TPLUS: Authorization request created for 93(insite)
*Mar 4 06:10:25.945: TPLUS: using previously set server 10.3.3.4 from group tacacs+
*Mar 4 06:10:25.954: TPLUS(0000005D)/0/NB_WAIT/2AB5488: Started 5 sec timeout
*Mar 4 06:10:25.954: TPLUS(0000005D)/0/NB_WAIT: socket event 2
*Mar 4 06:10:25.954: TPLUS(0000005D)/0/NB_WAIT: wrote entire 58 bytes request
*Mar 4 06:10:25.954: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:25.954: TPLUS(0000005D)/0/READ: Would block while reading
*Mar 4 06:10:25.962: TPLUS(0000005D)/0/READ: socket event 1
*Mar 4 06:10:25.962: TPLUS(0000005D)/0/READ: read entire 12 header bytes (expect 63 bytes data)
*Mar 4 06:10:25.962: TPLUS(0000005D)/0/READ: socket event 1
SW_Energy_Wise#
*Mar 4 06:10:25.962: TPLUS(0000005D)/0/READ: read entire 75 bytes response
*Mar 4 06:10:25.962: TPLUS(0000005D)/0/2AB5488: Processing the reply packet
*Mar 4 06:10:25.962: TPLUS: Processed AV cli-view-name=Techsupp
*Mar 4 06:10:25.962: TPLUS: Processed AV priv-lvl=15
*Mar 4 06:10:25.962: TPLUS: received authorization response for 93: PASS
SW_Energy_Wise#

It looks as it is actually sending the correct cli-view-name parameter but as I said before, it does not place the user into the view once I telnet into the router.

If I remove the privilege level 15 item from the shell profile configuration and try to telnet to the device, authorization fails and it does not allow me to login into the device.

My understading is that privilege level should not matter with role-based cli view configuration, as the only available commands once in a view should be the ones specified in that view.

Can please somebody shed some light about this?

Is there something wrong with my configuration in the ACS server or AAA TACACS client?

Thanks in advance,

Alejandro

Message was edited by: Alejandro Ruiz