cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

314
Views
5
Helpful
1
Replies

Parser View vs Privilege Level using AAA / TACACS Authorization

Hell community,

I am looking into Cisco's AAA implementation. Specifically, I want to implement role based access control integrated with TACACS Authorization for VTY Access. I am not interested in using local authentication. 

I have perused Cisco documentation and I have found there are two ways to implement this. One method makes use of the parser view. You can define a view and exclude or include commands from that view. 

Device(config)# parser view first inclusive
Device(config-view)# secret 5 firstpass
Device(config-view)# command exec exclude show version
Device(config-view)# command exec exclude configure terminal
Device(config-view)# command exec exclude all show ip
Device(config-view)# exit
Device(config)# parser view second
Device(config-view)# secret 5 secondpass
Device(config-view)# command exec include-exclusive show ip interface
Device(config-view)# command exec include logout
Device(config-view)# exit

 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-role-base-cli.html#GUID-8CFFD65B-EE7E-41E0-92A5-35CACC7F4578

The second method is to define privilege levels and and move commands from one privilege level to another. By default, Cisco device come with  privilege levels 0, 1 and 15 by  default. Which means a network admin can define levels 2-14 and assign different commands there. 

Device(config)# enable secret level level password
Device(config)# privilege exec level level command-string
Device(config)# privilege exec all level level command-string

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-cfg-sec-4cli.html#GUID-3D5E3E28-99F1-4061-BE6C-DE8BF66C0C9F

The Cisco documentation is pretty good in explaining how the privilege levels and parser views function on the Cisco device, but what I am specifically interested in is to integrate this with AAA for TACACS authorization. 

Which method can be used to implement role based access control on a TACACS server: privilege levels, parser views or both ? And if so, how ? Is it dependent on the capabilities of the TACACS server itself ?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

The most common approach I see is using privilege levels with command authorisation via TACACS Command Sets and Profiles. See the Cisco ISE Device Administration Prescriptive Deployment Guide for examples on how you can do this with ISE. Any standards-based TACACS+ server should support the same functions, but you would need to test it.

I've never used parser view, but it looks like it's possible to specify them in a TACACS Profile. This document uses CS-ACS, but you should be able to use the same approach in ISE or another T+ solution.

https://community.cisco.com/t5/security-documents/create-role-based-cli-for-the-ios-router-and-link-it-with-users/ta-p/3136438

 

View solution in original post

1 REPLY 1
Greg Gibbs
Cisco Employee

The most common approach I see is using privilege levels with command authorisation via TACACS Command Sets and Profiles. See the Cisco ISE Device Administration Prescriptive Deployment Guide for examples on how you can do this with ISE. Any standards-based TACACS+ server should support the same functions, but you would need to test it.

I've never used parser view, but it looks like it's possible to specify them in a TACACS Profile. This document uses CS-ACS, but you should be able to use the same approach in ISE or another T+ solution.

https://community.cisco.com/t5/security-documents/create-role-based-cli-for-the-ios-router-and-link-it-with-users/ta-p/3136438

 

View solution in original post

Content for Community-Ad