Exclude specific user from aaa authorization commands

diondohmen · ‎02-09-2015

Hi there,

I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.

We use an AAA setup with Cisco ACS. On the devices we use:

aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

is it possible, to exclude an user, say User1, from being command authorized?

In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.

We tried this with method lists in combination with ACL's on the VTY's:

line VTY 0

access-class 1 in

line VTY 1

access-class 2 in

Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.

But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.

Does anyone have some tips/tricks how to handle this?

Maybe a custom attribute from the ACS?

Kind Regards

nspasov · ‎02-09-2015

Where does the user you are trying to block reside? Locally on the device, AD or in the ACS database?

Thank you for rating helpful posts!

diondohmen · ‎02-09-2015

We have a RADIUS backend where the user resides

nspasov · ‎02-10-2015

If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.

Thank you for rating helpful posts!