02-19-2013 02:20 PM - edited 03-10-2019 08:06 PM
Hello
i am trying to setup AAA access to our network switches and routers with following requirements:
Have two groups is ACS server: one ReadWrite (full access), second ReadOnly (full access except conf t command).
Created network device groups. Created ACS groups (NetAdmin); shell (exec) is privilege level 15, Shell command auth set is configured ReadWrite for switches and routers.
With bellow commands i managed to have it working OK for switches but cannot get it right for routers. Basically i get authenticated but still have access to conf t on routers. Switches do not have access to conf t for readonly group.
========================================================
Switch:
aaa new-model
!
!
aaa group server tacacs+ AAA
server 10.10.10.1
server 10.10.10.2
!
aaa authentication login default none
aaa authentication login AAA group tacacs+ local
aaa authentication login AAA-LOCAL local
aaa authentication enable default group AAA enable
aaa authorization exec default group AAA if-authenticated
aaa authorization commands 1 default group AAA if-authenticated
aaa authorization commands 15 default group AAA if-authenticated
aaa accounting exec default start-stop group AAA
aaa accounting commands 1 default start-stop group AAA
aaa accounting commands 15 default start-stop group AAA
aaa accounting network default start-stop group AAA
aaa accounting connection default start-stop group AAA
aaa accounting system default start-stop group AAA
!line vty 0 4
login authentication AAA
=======================================================
Router:
aaa new-model
!
!
aaa group server tacacs+ AAA
server-private 10.10.10.1 key 11111
!
aaa authentication login AAA-LOCAL local
aaa authentication login AAA group AAA local
aaa authentication enable default group AAA enable
aaa authorization console
aaa authorization exec default group AAA if-authenticated
aaa authorization commands 1 default group AAA if-authenticated
aaa authorization commands 15 default group AAA if-authenticated
aaa accounting exec default
action-type start-stop
group AAA
!
aaa accounting commands 1 default
action-type start-stop
group AAA
!
aaa accounting commands 15 default
action-type start-stop
group AAA
!
aaa accounting network default
action-type start-stop
group AAA
!
aaa accounting connection default
action-type start-stop
group AAA
!
aaa accounting system default
action-type start-stop
group AAA
!
!line vty 0 4
login authentication AAA
=============================================================
Based on bellow commands how can i setup AAA to fulfill our needs?
Appreciated your help.
02-19-2013 07:42 PM
ACS 4.x
ACS 5.x
http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1
tacacs-server key cisco123
Jatin Katyal
- Do rate helpful posts -
02-21-2013 02:40 PM
thanks for quick responce.
Unfortunatelly your suggestions do not work. As i mentioned in my origianl post ACS access to switches is workign fine, readonly user can see all info about the switch but does not have access to conf t.
With router is a different thing. With the same settings as for the switches, user do not have access to show runn command and also not able to get to conf t.
Not being abel to get to conf to is fine but show runninng should be available (as it is available for switches).
Any idea?
02-22-2013 09:07 PM
What is the ACS version that you are using?
can you show us screenshots of the config (user groups, device groups and shell profiles (or shell command set)) that you are using?
Rating useful replies is more useful than saying "Thank you"
02-25-2013 01:17 PM
I am using ACS 4.2
Release 4.2(1) Build 15 Patch 2
02-25-2013 01:37 PM
You need to select "Assign a shell authorization set up for any network device"
https://supportforums.cisco.com/servlet/JiveServlet/downloadImage/2-3866313-130557/450-500/2.JPG
Regards,
Jatin Katyal
- Do rate helpful posts -
02-25-2013 02:59 PM
I am assigning "Shell Command auth set on a per network device group basis"
Why do you think i need to assing a shell auth setup for any netwrok device?
03-04-2013 11:28 PM
Your config looks OK from the screenshots you posted.
Just make sure the user you are using belongs does not have different configuration than its group. If the user has a different configuration than its group then the user config will take effect.
Try to test with different users on that group to isolate. Do all users experience same behavior?
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
03-05-2013 06:34 AM
The behaviour is ok for switches; user get # prompt, can read runn-conf but when try to get to conf t, user get non authorize command (which is what i would like to have). Unfortunatelly it does not work for routers. With this config user has all access to routers.
Tested with other users, brand-new users, no any different settings on user level with same result.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide