Re: Read-only aaa statements

echelon360 · ‎03-01-2007

I've setup the TACACS server with two groups

-FULL admin rights

-READ only rights

Two users have been created

-admin_test

-read_test

The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

IWAN HOOGENDOORN · ‎03-02-2007

Hi,

Use this document to know more about privilidge levels and how to configure them:

http://www.cisco.com/warp/public/480/PRIV.html

You need to define the actual Privilidge levels what's allowed and what's not

See the doc

If you find this post usefull

please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#########################################

daviddtran · ‎03-02-2007

Privilege is not scalable in a big environment.

What you need is authorization on the ACS

server. In Cisco Freeware TACACS+ I defined

the following groups: readonly, advanced and

admin:

group = readonly {

default service = deny

cmd = show { deny .* }

cmd = show { permit .* }

cmd = copy { permit .* }

cmd = ping { permit .* }

cmd = enable { permit .* }

cmd = configure { deny .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = debug { permit .* }

}

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = interface { permit .* }

}

group = admin {

default service = permit

}

As you can see, admin can access everything,

readonly can only read. Advanced can make

limited changes and admin can do everything.

On the Cisco router, I have the following

configuration:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

I find that by doing it this way, it is much

more scalable than using privilege commands

on the router itself.

David

CCIE Security

Vivek Santuka · ‎03-03-2007

Hi Echelo360,

The aaa config that you pasted does not have command authorization.

You need the 3 authorization commands from david's post.

Regards,

Vivek

echelon360 · ‎03-04-2007

Great help given here guys...thanks!