Re: Do I need privilege exec level commands in router?

frank · ‎06-02-2008

Do I need privilege exec level commands in router if the user was setup in TACACS server with specific privilege exec already?

The user is getting "Command authorization failed" error even was setup with "priv-lvl = 4" for TACACS server.

If changed to AAA with local authentication then is fine without privilege exec level 4 commands in router.

Farrukh Haroon · ‎06-02-2008

That would depend on your 'aaa authorization commands' setting. If you are using ACS to authorize commands, you need to create shell command authorization sets in ACS. However in any case if you want this level 4 user to view any commands that are available at a higher level, you need to make them 'visible' to him by issuing the appropriate 'privilege level command' statements in the router

itself.

Have a look at this:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards

Farrukh

Jagdeep Gambhir · ‎06-02-2008

If you are using command authorization then privilage doesn't matter.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Regards,

~JG

Do rate helpful posts

Farrukh Haroon · ‎06-02-2008

I'm afraid your statement is not totally true:

"If you are using command authorization then privilage doesn't matter. "

It only becomes true when the 'best way' suggested by you is applied:

"Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute. "

Otherwise a privilege level 4 user cannot even see commands at a higher level than him, for example if he does:

show ?

He will only see the show commands at level 4 and lower, and will not see the higher commands like 'show tech'.

Forgive me if I got your words wrong.

Regards

Farrukh

Jagdeep Gambhir · ‎06-02-2008

Your understanding is correct only if we are using local authorization. In acs it works bit differently.

====

How does that matter if user is able to see all options for show command or any command ?

show ?

This is not an examination where we need to hide option's. Able to see all option does not mean that user is allowed to execute it.

The moment users tries to issue command , acs will authorize it and will proceed as per the shell command authorization configuration.

ACS command authorization works over priv 15 level.

Regards,

~JG

Farrukh Haroon · ‎06-02-2008

Have you ever labbed a AAA scenario like this?

Do it, you might find some surprises there, or I will :)

Regards

Farrukh