03-01-2007 09:47 PM - edited 03-10-2019 03:01 PM
I've setup the TACACS server with two groups
-FULL admin rights
-READ only rights
Two users have been created
-admin_test
-read_test
The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
aaa authentication login default group tacacs+ line enable
aaa authentication enable default group tacacs+ enable line
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
03-02-2007 01:33 AM
Hi,
Use this document to know more about privilidge levels and how to configure them:
http://www.cisco.com/warp/public/480/PRIV.html
You need to define the actual Privilidge levels what's allowed and what's not
See the doc
If you find this post usefull
please don't forget to rate this
#########################################
#Iwan Hoogendoorn
#########################################
03-02-2007 04:45 AM
Privilege is not scalable in a big environment.
What you need is authorization on the ACS
server. In Cisco Freeware TACACS+ I defined
the following groups: readonly, advanced and
admin:
group = readonly {
default service = deny
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = enable { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
}
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = interface { permit .* }
}
group = admin {
default service = permit
}
As you can see, admin can access everything,
readonly can only read. Advanced can make
limited changes and admin can do everything.
On the Cisco router, I have the following
configuration:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
I find that by doing it this way, it is much
more scalable than using privilege commands
on the router itself.
David
CCIE Security
03-03-2007 07:23 AM
Hi Echelo360,
The aaa config that you pasted does not have command authorization.
You need the 3 authorization commands from david's post.
Regards,
Vivek
03-04-2007 08:47 PM
Great help given here guys...thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: