cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1321
Views
0
Helpful
7
Replies

Show commands only - ACS 5.6

GRANT3779
Spotlight
Spotlight

I have ACS 5.6 and trying to configured various roles, once of them being show commands only for people who are a member of a certain AD group.I have all the AD integration side of things done.

I was following this document -

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

I created my command set as per attached, however when I login with the test AD account, they have show access which is OK, but things like telnet still work. They are unable to get into configuration mode which is good.

My end result I want to achieve is to have anyone in a certain AD group to have access to show commands and nothing else. AD side of things is good.

Any Pointers?

7 Replies 7

Can you please post the router/switch configuration?


At least the AAA related portions.

Javier Henderson

Cisco Systems

Hi,

The AAA commands are working OK for user accounts in a different AD group which has Full Access. Anyways, here is a portion from one of the switches.

sh run | inc aaa
aaa new-model
aaa group server tacacs+ ACS-Servers
aaa authentication login ACS-Method-List group ACS-Servers line
aaa authorization exec ACS-Method-List group ACS-Servers if-authenticated
aaa accounting exec ACS-Method-List start-stop group ACS-Servers
aaa accounting commands 15 ACS-Method-List start-stop group ACS-Servers

aaa group server tacacs+ ACS-Servers
server 10.44.129.5
server 10.44.1.5

tacacs-server host 10.44.129.5 key xx
tacacs-server host 10.44.1.5 key xx
tacacs-server directed-request


line vty 0 4
authorization exec ACS-Method-List
accounting commands 15 ACS-Method-List
accounting exec ACS-Method-List
login authentication ACS-Method-List

Thanks

Hi there, please add the following commands and try again:

aaa accounting commands 0 ACS-Method-List start-stop group ACS-Servers
aaa accounting commands 1 ACS-Method-List start-stop group ACS-Servers

Thank you for rating helpful posts!

Still not working as I would have expected. I have authenticated OK.

Checking the reporting tool, I see it hits my authorisation rule I created. it does not however appear to use my command set I created.

Query - on my shell profile, under common tasks - do I need to set a  default and maximum priv level here if I am trying to restrict the user via my command set? How do the shell profile and command relate to each other?

Thanks

Can you provide debugs from:

debug tacacs
debug aaa authorization

To answer you question: You can set the user to have privilege level 15 but still restrict him/her to only use a set of commands based on the command set.

Thank you for rating helpful posts!

Hi All,

Seems my ACS side of things was correct. I realised I hadn't put my extra commands under the actual VTY lines. Only in the initial config.

Now working as I would expect. Thank You.

I have a quick query about the following -

line vty 0 4
authorization commands 1 ACS-Method-List
authorization commands 15 ACS-Method-List
authorization exec ACS-Method-List
accounting commands 15 ACS-Method-List
accounting exec ACS-Method-List
login authentication ACS-Method-List

What do the different authorisation entries actually do? E.G when I have commands 1...
commands15...
auth exec...

Do I need all these?

Also looks like I will need to push out the extra authorisation commands to over a few hundred devices to get this working

You need to add command authorization:

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Javier Henderson

Cisco Systems

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: