02-04-2012 01:05 AM - edited 03-10-2019 06:47 PM
I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
>> Shell Command Authorization Sets
Name: Restricted_Voice
Description: Configure port voice vlan only.
Unmatched Commands: Deny
Add: enable
Add: configure / permit terminal <cr>
Add: interface / permit Gi*
Add: interface / permit Fa*
Add: switchport / permit voice vlan *
My switch configuration has the following aaa authorization related lines:
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
I went and read up the command reference for "aaa authorization config-commands" in
http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me. I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?
02-05-2012 10:57 PM
You are right. For shell to authorise configuration commands, "aaa authorization config-commands" is a must. It provides you more granular control for configuration commands.
regards/bsn
07-22-2012 08:45 AM
Command authorization on level 15 does not affect the global configuration mode and
its submodes unless "aaa authorization config-commands" is configured
HTH
10-02-2012 02:26 AM
Hi Axa,
I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
The below is taken from cisco.com and explains that you should not require the
aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
From Cisco.com (I have underlined the key points)
To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
aaa authorization config-commands
no aaa authorization config-commands
This command has no arguments or keywords.
After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide