How to make AAA access and prevent conf t?

endpoint · ‎02-19-2013

Hello

i am trying to setup AAA access to our network switches and routers with following requirements:

Have two groups is ACS server: one ReadWrite (full access), second ReadOnly (full access except conf t command).

Created network device groups. Created ACS groups (NetAdmin); shell (exec) is privilege level 15, Shell command auth set is configured ReadWrite for switches and routers.

With bellow commands i managed to have it working OK for switches but cannot get it right for routers. Basically i get authenticated but still have access to conf t on routers. Switches do not have access to conf t for readonly group.

========================================================

Switch:

aaa new-model

!

aaa group server tacacs+ AAA

server 10.10.10.1

server 10.10.10.2

!

aaa authentication login default none

aaa authentication login AAA group tacacs+ local

aaa authentication login AAA-LOCAL local

aaa authentication enable default group AAA enable

aaa authorization exec default group AAA if-authenticated

aaa authorization commands 1 default group AAA if-authenticated

aaa authorization commands 15 default group AAA if-authenticated

aaa accounting exec default start-stop group AAA

aaa accounting commands 1 default start-stop group AAA

aaa accounting commands 15 default start-stop group AAA

aaa accounting network default start-stop group AAA

aaa accounting connection default start-stop group AAA

aaa accounting system default start-stop group AAA

!line vty 0 4

login authentication AAA

=======================================================

Router:

aaa new-model

!

aaa group server tacacs+ AAA

server-private 10.10.10.1 key 11111

!

aaa authentication login AAA-LOCAL local

aaa authentication login AAA group AAA local

aaa authentication enable default group AAA enable

aaa authorization console

aaa authorization exec default group AAA if-authenticated

aaa authorization commands 1 default group AAA if-authenticated

aaa authorization commands 15 default group AAA if-authenticated

aaa accounting exec default

action-type start-stop

group AAA

!

aaa accounting commands 1 default

action-type start-stop

group AAA

!

aaa accounting commands 15 default

action-type start-stop

group AAA

!

aaa accounting network default

action-type start-stop

group AAA

!

aaa accounting connection default

action-type start-stop

group AAA

!

aaa accounting system default

action-type start-stop

group AAA

!

!line vty 0 4

login authentication AAA

=============================================================

Based on bellow commands how can i setup AAA to fulfill our needs?

Appreciated your help.

Jatin Katyal · ‎02-19-2013

ACS 4.x

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo

ACS 5.x

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml

These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:

aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1

tacacs-server key cisco123

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#rou

Jatin Katyal

- Do rate helpful posts -

~Jatin

endpoint · ‎02-21-2013

thanks for quick responce.

Unfortunatelly your suggestions do not work. As i mentioned in my origianl post ACS access to switches is workign fine, readonly user can see all info about the switch but does not have access to conf t.

With router is a different thing. With the same settings as for the switches, user do not have access to show runn command and also not able to get to conf t.

Not being abel to get to conf to is fine but show runninng should be available (as it is available for switches).

Any idea?

Amjad Abdullah · ‎02-22-2013

What is the ACS version that you are using?

can you show us screenshots of the config (user groups, device groups and shell profiles (or shell command set)) that you are using?

Rating useful replies is more useful than saying "Thank you"

endpoint · ‎02-25-2013

I am using ACS 4.2

Release 4.2(1) Build 15 Patch 2

Jatin Katyal · ‎02-25-2013

You need to select "Assign a shell authorization set up for any network device"

https://supportforums.cisco.com/servlet/JiveServlet/downloadImage/2-3866313-130557/450-500/2.JPG

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

endpoint · ‎02-25-2013

I am assigning "Shell Command auth set on a per network device group basis"

Why do you think i need to assing a shell auth setup for any netwrok device?

Amjad Abdullah · ‎03-04-2013

Your config looks OK from the screenshots you posted.

Just make sure the user you are using belongs does not have different configuration than its group. If the user has a different configuration than its group then the user config will take effect.

Try to test with different users on that group to isolate. Do all users experience same behavior?

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

endpoint · ‎03-05-2013

The behaviour is ok for switches; user get # prompt, can read runn-conf but when try to get to conf t, user get non authorize command (which is what i would like to have). Unfortunatelly it does not work for routers. With this config user has all access to routers.

Tested with other users, brand-new users, no any different settings on user level with same result.