12-12-2019 04:42 AM - edited 02-21-2020 11:12 AM
I have a problem with prohibiting the "enable" command for a user "noob" via linux tacacs+ server.
I can authenticate and log into the cisco device as "noob" via the linux tacacs+ server, "noob" has privilege lvl 1 as supposed, but is still able to use the "enable" command and also achive privilige lvl15 with it. What am I missing?
here the configs:
Cisco Router config:
!
enable secret 5 %1$SiyQ$rOXXXXXXXX1ZwOZQWHmoKJ8f
!
aaa new-model
!
aaa authentication login M-LOGIN group tacacs+ local
aaa authorization config-commands
aaa authorization exec M-EXEC group tacacs+ local
aaa authorization commands 0 M-LVL-0 group tacacs+ local
aaa authorization commands 1 M-LVL-1 group tacacs+ local
aaa authorization commands 15 M-LVL-15 group tacacs+ local
aaa accounting exec M-ACCT-EXEC start-stop group tacacs+
aaa accounting commands 1 M-1-ACCT start-stop group tacacs+
aaa accounting commands 15 M-15-ACCT start-stop group tacacs+
!
username user1 privilege 15 secret 5 P1dsafXXXXXXXXERHQIrr_8sfw
!
!
!
tacacs server test
address ipv4 192.168.0.1
key 7 XXXXXXXXXXXXXXXX19XXXXXXXXXx123F20291718
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
line vty 0 4
authorization commands 0 M-LVL-0
authorization commands 1 M-LVL-1
authorization commands 15 M-LVL-15
authorization exec M-EXEC
accounting commands 1 M-1-ACCT
accounting commands 15 M-15-ACCT
accounting exec M-ACCT-EXEC
login authentication M-LOGIN
transport input ssh
!
-----------------------------------------------------------------
Debian /etc/tacacs+/tac_plus.conf:
accounting file = /var/log/tac_plus.acct
key = "XXXXXXXxxxxxXXXXXxxxxxXXX"
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = test {
cmd = enable { deny .* }
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
}
user = user1 {
member = admins
login = des GXXXXXXXXZEQu
}
user = noob {
member = test
login = des F9XXXXXXXXOTu
}
Solved! Go to Solution.
12-14-2019 04:44 PM
I am not experience with the app you using. I would recommend either try its own support forum and switch to our product.
From what I can tell, you should be able to remove the enable cmd from the group "test".
12-14-2019 04:44 PM
I am not experience with the app you using. I would recommend either try its own support forum and switch to our product.
From what I can tell, you should be able to remove the enable cmd from the group "test".
12-16-2019 04:57 AM - edited 12-16-2019 04:57 AM
Your answer is not competent or helpful in any way. Can I mark it as spam? Have a nice day.
12-17-2019 02:29 PM
@starbuck33 wrote:
Your answer is not competent or helpful in any way. Can I mark it as spam? Have a nice day.
It seems as thought you're asking about how to use a 3rd party server? This forum is for using ISE AAA server. Please repost your question to the TACACS+ server forum
12-18-2019 12:32 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide