Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26585
Views
15
Helpful
3
Replies

Command confusion - aaa authorization config-commands

axa-wongjeff
Level 1
Level 1

‎02-04-2012 01:05 AM - edited ‎03-10-2019 06:47 PM

I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.

  >> Shell Command Authorization Sets

      Name: Restricted_Voice

      Description: Configure port voice vlan only.

      Unmatched Commands: Deny

      Add: enable

      Add: configure / permit terminal <cr>

      Add: interface / permit Gi*

      Add: interface / permit Fa*

      Add: switchport / permit voice vlan *

My switch configuration has the following aaa authorization related lines:

     aaa authorization commands 1 default group tacacs+ if-authenticated

     aaa authorization commands 15 default group tacacs+ if-authenticated

When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.

I went and read up the command reference for "aaa authorization config-commands" in

http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.

My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.

It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

Labels:
0 Helpful
3 Replies 3

Bharat Negi
Level 1
Level 1

‎02-05-2012 10:57 PM

You are right.  For shell to authorise configuration commands, "aaa authorization config-commands" is a must.  It provides you more granular control for configuration commands.

regards/bsn

0 Helpful

hkhrais
Level 1
Level 1

‎07-22-2012 08:45 AM

Command authorization on level 15 does not affect the global configuration mode and

its submodes unless "aaa authorization config-commands" is configured

HTH

0 Helpful

david.mitchell
Level 1
Level 1

‎10-02-2012 02:26 AM

Hi Axa,

I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method

The below is taken from cisco.com and explains that you should not require the

aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User

This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!

From Cisco.com (I have underlined the key points)

aaa authorization config-commands

To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.

aaa authorization config-commands

no aaa authorization config-commands

Syntax Description

This command has no arguments or keywords.

Defaults

After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.

Usage Guidelines

If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.

After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.

Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.

Examples

The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled: 

aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands
Customers Also Viewed These Support Documents