11-27-2012 05:31 AM - edited 03-10-2019 07:50 PM
Hi
I'm trying to set up a command set in Cisco ACS 5.3, I can't get i to work no mather who I try
What I'm trying to accomplish is that some users, say Bob can run every priv. level 1 command + show run, or just to specify which commands Bob will be able to run, whatever is easiest to set up.
Can someone please provide a guide or a step to step intrusctions with nescarry commands to set it up, I'm having trouble finding good guide for this..
In my switch I have the commands:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ <--- tried diffrent apporaches whith priv level..
(and specied a tacacs server)
is the "default" under "aaa authorization commands 1x default group tacacs+" the name of the command set?
In the ACS I have specied a Authorization group and binded it to the command set, should the user have priv 15 for this to work or priv 1?
(I have also specied a user and an identity group and specied ip ranges under "Network Devices and AAA Clients")
Not sure who to set up the command set, see below
Thanks for any help!!!!!!!
//Johan
Solved! Go to Solution.
11-27-2012 06:32 AM
IOS Configuration
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
aaa authorization config−commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
Here we have two users that belong to two different groups.
Here are the groups
Then we will need to create two different authorization policies
Under those policy’s it will mach depending on the identity group that the user belongs to and based on that it will apply the command sets only show or allow all.
Here are the command sets
This is the command set allow all for the rule 1.
This is the only show run for the rule 2.
So basically the configuration you have under the command set is fine, you just need to separate the values.
Example:
Grant = Permit
Command = show
Arguments = ip interface brief
11-27-2012 06:32 AM
IOS Configuration
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
aaa authorization config−commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
Here we have two users that belong to two different groups.
Here are the groups
Then we will need to create two different authorization policies
Under those policy’s it will mach depending on the identity group that the user belongs to and based on that it will apply the command sets only show or allow all.
Here are the command sets
This is the command set allow all for the rule 1.
This is the only show run for the rule 2.
So basically the configuration you have under the command set is fine, you just need to separate the values.
Example:
Grant = Permit
Command = show
Arguments = ip interface brief
11-27-2012 07:32 AM
Thank you!!!!!
now it's working !!!!
Thanks for a great explenation!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: