05-02-2011 09:54 AM - edited 03-10-2019 06:02 PM
I am trying to configure a group of users to get read only access onto our equipement ( switches and routers) and specifically show run or show start. i set the command set to permit those 2 commands and i created a rule for that group but it does work as desired.
any ideas? Thank you.
Solved! Go to Solution.
05-03-2011 06:39 AM
There are a couple of ways that you can accomplish what you are looking to do. What you need to remember is that when showing the running-config you can only see what you have authorization to configure so just allowing a RO user to execute the show run command isn't going to show them much.
One thing you could do is to lower the privilege level required to run the "show configuration" command. The command is "privilege exec level 1 show configuration" and would need to be applied to all your devices. This would allow privilege level 1 users to view the startup-config but not the running-config.
Since you are running ACS another solution would be to create a rule to permit these RO users to login and actually authorize at level 15 which by default allows one to configure everything (remember to be able see it in the running-config you must be authorized to configure it). Then create a limited command set that only allows the commands they need to use.
Hope this helps,
Greg
05-02-2011 10:38 AM
what AAA commands do you have on your router?
05-02-2011 12:25 PM
i might be missing something in the aaa config.
here is the aaa conf
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CON local
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa accounting exec default start-stop group tacacs+
05-02-2011 08:09 PM
Hello
Add another command as " aaa author command 0 default group tac if-authen none " and see if it works. Otherwise, send the screenshot of tacacs server, where you configure the command set.
thanks
Devashree
05-03-2011 06:39 AM
There are a couple of ways that you can accomplish what you are looking to do. What you need to remember is that when showing the running-config you can only see what you have authorization to configure so just allowing a RO user to execute the show run command isn't going to show them much.
One thing you could do is to lower the privilege level required to run the "show configuration" command. The command is "privilege exec level 1 show configuration" and would need to be applied to all your devices. This would allow privilege level 1 users to view the startup-config but not the running-config.
Since you are running ACS another solution would be to create a rule to permit these RO users to login and actually authorize at level 15 which by default allows one to configure everything (remember to be able see it in the running-config you must be authorized to configure it). Then create a limited command set that only allows the commands they need to use.
Hope this helps,
Greg
05-03-2011 07:16 AM
thanks for the replies.
actually the first option is impossible to do it in my case since i have arround couple of hundreds of equipement to modify and i was trying to do it with ACS because of this.
the second option worked well for me i gave them privilege 15 and applied the read only command set on that rule.
the mistake i was doing is that i created a privilege 6 and i set the command set to allow a privilege 15 commands in it which didn't work.
Thank's alot
05-04-2011 06:26 PM
Hi Chahine75,
Did your second solution actually give to your users the right to only see the commands that you specified on the comment set?
Thanks,
aleruri
05-04-2011 07:22 PM
The users can see all the commands but they will only receive authorization to run the commands you specify in the command set. You also need to have your aaa configured to do command authorization against your ACS for this to work properly.
05-04-2011 07:50 PM
Thanks Greg Cover,
That sort of worked.
Is there any way to link the Role-based CLI views created in the AAA client to the user created in the ACS server? I know that you could do that in ACS 4.2 by using the “cli-view-name” attribute.
What I have in mind is to login with some user and that the ACS 5.2 server links this user with a view previously created in the AAA client:
Something like:
username: cenetacs
password:
SOLAR_WINDS_TEST#?
Exec commands:
<1-99> Session number to resume
copy Copy from one file to another
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
SOLAR_WINDS_TEST#
Has anyone know how to achieve this?
Typing the command "enable view something" is not an option for us.
Thanks,
05-04-2011 08:28 PM
The only way I know to do that would be to create a custom privilege level in your device IOS configuration and associate the commands to that privilege level that you want users of that privilege level to be able to see/use. You would then have to define a shell profile in the ACS for that privilege level and associate it in an authoriztion rule. I think that would accomplish what you are looking to do.
Greg
05-04-2011 08:33 PM
Thanks Greg,
So what you are saying is that you are not aware of a way to link the role-based CLI view created on the AAA client device to the user on the ACS server?
Because as you probably know the role-based cli view configuration allows you to create a view and associate just a limited set of commands to that view, without having to create a custom privilege level in your device.
Thanks again.
aleruri
05-04-2011 08:53 PM
That's correct Alejandro, I'm not aware of a way to do that in ACS 5.2. If someone does know how to do it hopefully they will share it with us here. Perhaps you should start a new post on your issue specifically and see what kind of answers you get.
~GC
05-04-2011 08:58 PM
Thanks Greg,
your posts have been really helpful.
I will create a new trend with that question.
Cheers,
aleruri
05-05-2011 06:17 AM
hi,
the users will see all the commands in the privilege 15 if you gave him the privilege 15 in your ACS but will only be allowed to execute the commands permitted in the command set that you defined.
RPWAN1#conf ?
confirm Confirm replacement of running-config with a new config file
memory Configure from NV memory
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP network host
replace Replace the running-config with a new config file
terminal Configure from the terminal
RPWAN1#conf t
Command authorization failed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: