help needed on command authorization on acs

sebastan_bach · ‎07-04-2005

could anyone help telling the exact procedure of configuring user authorization on cisco ios router via acs server.my users are getting authenticated via the acs server but unable to authorize the commands they execute on the ios router.

my commands on the aa client :

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

user john privilege 5 password john

pls help me on this .

dan.reynolds · ‎07-05-2005

Try this:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization exec xxxxx group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 xxxxx group tacacs+ local

Then you need to go to your ACS sever and create a shell command set under Shared Profile components

The shell command set should look something like this:

(main cmd) configure

(sub cmds)

permit terminal

permit interface

permit fastethernet

permit switcthport

permit access

permit vlan

permit mode

permit spanning-tree

permit portfast

permit port-security

Check the permit box. If you want to deny them the cmd the replace permit with deny.

You can also check permit unmatched cmds arguments.

An example would be:

Clear (main cmd)

with the box checked they would have access to all of the sub commands. IE: clear counters etc...

To check and see if it is working place these lines in your aaa config:

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

This will show you what cmds are being run in the T+ admin section of ACS. CMDs that are access that they don't have access to will show up in the Failed attempts.

On a side note:

This line in your config only effects the local user name and not the ACS user name

user john privilege 5 password john

To get this to work you need to change the privilege level of the commands that you want them to have to privilege level 5 if you have a lot of AAA devices it is best to do it though the ACS server.

manishn · ‎07-13-2005

Dear Sir,

on my ACS v 3.2 windows server, I have configured group A and created one user B, I want this user B to have helpdesk profile i.e. he should only access show commands but it is strange to discover when B type enable he moves in to enable mode (it ask for enable password), I want to restrict B from using enable command, pls.find below mentioned my router aaa config:-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login enable group tacacs+ enable

aaa authentication ppp default local group radius

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa session-id common

Kindly guide me as what parameter needs to be set at ACS server command authorisation set feature.