Exclude specific user from aaa authorization commands

diondohmen · ‎02-09-2015

Hi there,

I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.

We use an AAA setup with Cisco ACS. On the devices we use:

aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

is it possible, to exclude an user, say User1, from being command authorized?

In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.

We tried this with method lists in combination with ACL's on the VTY's:

line VTY 0

access-class 1 in

line VTY 1

access-class 2 in

Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.

But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.

Does anyone have some tips/tricks how to handle this?

Maybe a custom attribute from the ACS?

Kind Regards

nspasov · ‎02-09-2015

Where does the user you are trying to block reside? Locally on the device, AD or in the ACS database?

Thank you for rating helpful posts!

Thank you for rating helpful posts!

diondohmen · ‎02-09-2015

We have a RADIUS backend where the user resides

nspasov · ‎02-10-2015

If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.

Thank you for rating helpful posts!

Thank you for rating helpful posts!