07-01-2024 05:11 AM - edited 07-01-2024 05:12 AM
Hello,
I've been given a task to provide administrative access for local IT guys so that they are able to execute limited set of commmands. The following TACACS command sets has been configured to achieve that objective:
Unfortunately, it does not work the way it's supposed to. After logging to the device and hitting appropriate authorizatation policy, I'm unable to execute the following commands (which is desired outcome):
- reload
- debug
- traceroute
- show running-config
- configure terminal
All allowed commands (ping, terminal monitor, terminal no monitor, show interface status, show logging) are working fine. However, I've noticed that other show commands such as "show spanning-tree", "show spanning-tree root", or "show ntp packets" can also be executed although they should be denied. Could anyone explain this? I'll add that I've tried several options with "Deny" and "Deny always".
Thank you in advance!
07-01-2024 01:46 PM
I have a feeling that your IOS device is not performing command authorization, hence, ISE is not getting involved in the command authorization. Can you please share your
show run | in aaa
Command authorization can be enabled for any and every priv level you give your admins. I always give everyone priv15 because that is needed for a "show run". Therefore, the command authorization would look like this (my example uses the TACACS+ group "tacacs_group" and the "default" method list ... adjust as necessary to suit your scenario)
aaa authorization commands 15 default group tacacs_group if-authenticated
07-01-2024 10:34 PM
Hello,
in my case it's slightly different, It looks like this:
aaa authorization commands 15 default local group TACACS if-authenticated
Do you think it might be cause od the issue?
07-01-2024 10:57 PM
Yes - if you use the built-in help (question mark) you can see that the "local" is not correct
switch(config)#aaa authorization commands 15 default ?
cache Use Cached-group
group Use server-group.
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
We don't want to perform command authorization using local accounts - therefore, assuming your TACACS+ aaa group is called "TACACS" (as your example shows), then change the command to look like this
aaa authorization commands 15 default group TACACS if-authenticated
07-01-2024 11:53 PM - edited 07-01-2024 11:55 PM
But I'm also using local accounts as a backup authentication method. Furthermore, I'm wondering why it's working fine for most of the commands. As I mentioned before, I'm unable to execute "debug", "reload" or "conf t" command. Local authorization should also be enbled as a backup.
07-02-2024 10:58 AM
Did you also configure "aaa authorization config-commands"
Been working on a similar implementation and the above command needs to be configured on my network devices (Cisco) for ISE to get granular with authorized commands.
07-02-2024 02:06 PM - edited 07-02-2024 02:26 PM
@lnw-team - do you see the ISE Command authorization attempts in the ISE TACACS Live Logs? If not, then check the vty line settings because you also need - e.g.
vty 0 15
authorization commands 15 VTY_Name
I also keep forgetting that the IOS exec shell doesn't pass ALL commands to the AAA for evaluation unless you specify the exact priv level used by that command
E.g. show running-config is sent to AAA for eval because it's a priv level 15 command.
But commands like "show version", "show users" etc. are priv 1 commands.
Therefore you must configure aaa authorization commands in global and line vty for all possible priv levels.
I tested it just now and forgot priv level 1, which is used for show users, etc.
I wish there was a list that showed us which priv level is used for which command.
Your DENY_ALWAYS rule is a dangerous one. It takes precedence over ALL the other commands, and just because you put it at the end of the rules, doesn't mean it gets executed last - it gets evaluated FIRST! Always ... dangerous command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide