Solved: Parser View vs Privilege Level using AAA / TACACS Authorization

chira.cipri@gmail.com · ‎03-01-2021

Hell community,

I am looking into Cisco's AAA implementation. Specifically, I want to implement role based access control integrated with TACACS Authorization for VTY Access. I am not interested in using local authentication.

I have perused Cisco documentation and I have found there are two ways to implement this. One method makes use of the parser view. You can define a view and exclude or include commands from that view.

Device(config)# parser view first inclusive
Device(config-view)# secret 5 firstpass
Device(config-view)# command exec exclude show version
Device(config-view)# command exec exclude configure terminal
Device(config-view)# command exec exclude all show ip
Device(config-view)# exit
Device(config)# parser view second
Device(config-view)# secret 5 secondpass
Device(config-view)# command exec include-exclusive show ip interface
Device(config-view)# command exec include logout
Device(config-view)# exit

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-role-base-cli.html#GUID-8CFFD65B-EE7E-41E0-92A5-35CACC7F4578

The second method is to define privilege levels and and move commands from one privilege level to another. By default, Cisco device come with privilege levels 0, 1 and 15 by default. Which means a network admin can define levels 2-14 and assign different commands there.

Device(config)# enable secret level level password
Device(config)# privilege exec level level command-string
Device(config)# privilege exec all level level command-string

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-cfg-sec-4cli.html#GUID-3D5E3E28-99F1-4061-BE6C-DE8BF66C0C9F

The Cisco documentation is pretty good in explaining how the privilege levels and parser views function on the Cisco device, but what I am specifically interested in is to integrate this with AAA for TACACS authorization.

Which method can be used to implement role based access control on a TACACS server: privilege levels, parser views or both ? And if so, how ? Is it dependent on the capabilities of the TACACS server itself ?

Greg Gibbs · ‎03-01-2021

The most common approach I see is using privilege levels with command authorisation via TACACS Command Sets and Profiles. See the Cisco ISE Device Administration Prescriptive Deployment Guide for examples on how you can do this with ISE. Any standards-based TACACS+ server should support the same functions, but you would need to test it.

I've never used parser view, but it looks like it's possible to specify them in a TACACS Profile. This document uses CS-ACS, but you should be able to use the same approach in ISE or another T+ solution.

https://community.cisco.com/t5/security-documents/create-role-based-cli-for-the-ios-router-and-link-it-with-users/ta-p/3136438

View solution in original post

Greg Gibbs · ‎03-01-2021

The most common approach I see is using privilege levels with command authorisation via TACACS Command Sets and Profiles. See the Cisco ISE Device Administration Prescriptive Deployment Guide for examples on how you can do this with ISE. Any standards-based TACACS+ server should support the same functions, but you would need to test it.

I've never used parser view, but it looks like it's possible to specify them in a TACACS Profile. This document uses CS-ACS, but you should be able to use the same approach in ISE or another T+ solution.

https://community.cisco.com/t5/security-documents/create-role-based-cli-for-the-ios-router-and-link-it-with-users/ta-p/3136438