03-01-2021 11:12 AM - edited 03-01-2021 11:14 AM
Hell community,
I am looking into Cisco's AAA implementation. Specifically, I want to implement role based access control integrated with TACACS Authorization for VTY Access. I am not interested in using local authentication.
I have perused Cisco documentation and I have found there are two ways to implement this. One method makes use of the parser view. You can define a view and exclude or include commands from that view.
Device(config)# parser view first inclusive Device(config-view)# secret 5 firstpass Device(config-view)# command exec exclude show version Device(config-view)# command exec exclude configure terminal Device(config-view)# command exec exclude all show ip Device(config-view)# exit Device(config)# parser view second Device(config-view)# secret 5 secondpass Device(config-view)# command exec include-exclusive show ip interface Device(config-view)# command exec include logout Device(config-view)# exit
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-role-base-cli.html#GUID-8CFFD65B-EE7E-41E0-92A5-35CACC7F4578
The second method is to define privilege levels and and move commands from one privilege level to another. By default, Cisco device come with privilege levels 0, 1 and 15 by default. Which means a network admin can define levels 2-14 and assign different commands there.
Device(config)# enable secret level level password Device(config)# privilege exec level level command-string Device(config)# privilege exec all level level command-string
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-cfg-sec-4cli.html#GUID-3D5E3E28-99F1-4061-BE6C-DE8BF66C0C9F
The Cisco documentation is pretty good in explaining how the privilege levels and parser views function on the Cisco device, but what I am specifically interested in is to integrate this with AAA for TACACS authorization.
Which method can be used to implement role based access control on a TACACS server: privilege levels, parser views or both ? And if so, how ? Is it dependent on the capabilities of the TACACS server itself ?
Solved! Go to Solution.
03-01-2021 01:32 PM
The most common approach I see is using privilege levels with command authorisation via TACACS Command Sets and Profiles. See the Cisco ISE Device Administration Prescriptive Deployment Guide for examples on how you can do this with ISE. Any standards-based TACACS+ server should support the same functions, but you would need to test it.
I've never used parser view, but it looks like it's possible to specify them in a TACACS Profile. This document uses CS-ACS, but you should be able to use the same approach in ISE or another T+ solution.
03-01-2021 01:32 PM
The most common approach I see is using privilege levels with command authorisation via TACACS Command Sets and Profiles. See the Cisco ISE Device Administration Prescriptive Deployment Guide for examples on how you can do this with ISE. Any standards-based TACACS+ server should support the same functions, but you would need to test it.
I've never used parser view, but it looks like it's possible to specify them in a TACACS Profile. This document uses CS-ACS, but you should be able to use the same approach in ISE or another T+ solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide