permiting/denying commands via ACS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2003 04:39 PM - edited 03-10-2019 07:20 AM
I am attempting to set up a couple of different user levels in are ACS server. Group 1 will have all privilages (15). Group 2 will have limited access to command sets (help desk folks). I was hoping I could avoid putting any "privilege exec level" commands in the router but rather control everything from the ACS server. I set up a group 2 and assigned priviliage level 7 to it. Through the "Shell Command Authorization Set" I was hoping to be able to apply the necessary commands this group could exicute but it doesn't seem to be working. The commands that I "permit" for this group do not get exicuted. Users in Group 1 (level 15) work fine. I have both the "SHELL EXEC privilage levels and the MAX PRIVILEGE enable options set to level 7 in the ACS server for group 2.
Any hints on what I'm missing. Attached is a copy of my router config.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ none
aaa authorization commands 7 default group tacacs+ local
enable password cisco
!
username admin privilege 15 password 0 cisco
!
tacacs-server host 136.237.26.10
tacacs-server timeout 10
tacacs-server key cisco
!
line con 0
line aux 0
line vty 0 4
password cisco
Authentication is working fine against our NT domain.
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2003 01:41 AM
I found this an interesting challenge. Hooked a laptop to the console, copied the config in a test machine, set up AAA and checked your findings. It is working now. I think you did not alter the setting for the user under enable options. It is set to No Privilege by default. Set this to use group level settings. I also had to configure the enable password for the user in ACS.
Here is a copy of my AAA settings:
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login no_tacacs enable
aaa authentication enable default tacacs+ enable none
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 7 default tacacs+ local
aaa authorization commands 15 default tacacs+ local
aaa accounting exec default start-stop tacacs+
!
The method no_tacacs is used for the console to prevent admin-lockouts.
Doing a debug aaa authen & author was quite helpful in getting this to work.
Without specifying any commands, TACACS now refuses to enable because: -T+ enable privilege too low -.
Regards,
Leo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2003 02:35 AM
Re-reading your question I concluded that my answer was not complete. I did some additional research and now I think I know how it works with ACS.
When you check for command authorization :
aaa authorization commands 15 default tacacs+ local
you are requesting authorization for all level 15 (in this case) commands.
When you grant level 7 to a user, no commands will be checked while the users priv lvl is too low.
What I did was this: grant level 15 to the testusers group. Then, in the ACS, add the commands that are allowed for the group, the command
I also found that it makes no difference when you enter a certain level under the enable-options. It works with level 15 as priv-level under shell settings.
Hope this solves your issue.
Regards,
Leo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2003 03:49 AM
Hi,
I am a beginner with ACS and am trying the same thing. I have ACS 3.2 and am trying to create a helpdesk user which only has the following access (eg):
show running-config interface fastethernet
show mac-address-table
We have admins setup and all work no problem with priv 15.
My router config is as follows:
aaa new-model
aaa authentication login radius-login group radius local
aaa authentication enable default group radius enable none
aaa authorization console
aaa authorization exec default group radius local
In ACS I created a helpdesk user and a helpdesk group. I assigned a "shell command authorization set" to the group. This has "show" in one box (box has no title(!) ) and "permit running-config interface fastethernet" and "permit mac-address-table " in the other.
However it doesn't work.
The helpdesk either gets full control once logged in or else gets a user prompt only.
I also played around with the "cisco-av pair" field
entering this "priv-lvl=15" and "priv-lvl=7" alternatively to no avail.
Can anyone here let me know what I am doing wrong?
Many thanks indeed,
SS
