cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

637
Views
0
Helpful
7
Replies
Highlighted
Frequent Contributor

Show commands only - ACS 5.6

I have ACS 5.6 and trying to configured various roles, once of them being show commands only for people who are a member of a certain AD group.I have all the AD integration side of things done.

I was following this document -

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

I created my command set as per attached, however when I login with the test AD account, they have show access which is OK, but things like telnet still work. They are unable to get into configuration mode which is good.

My end result I want to achieve is to have anyone in a certain AD group to have access to show commands and nothing else. AD side of things is good.

Any Pointers?

7 REPLIES 7
Highlighted
Enthusiast

Can you please post the

Can you please post the router/switch configuration?


At least the AAA related portions.

Javier Henderson

Cisco Systems

Highlighted
Frequent Contributor

Hi,

Hi,

The AAA commands are working OK for user accounts in a different AD group which has Full Access. Anyways, here is a portion from one of the switches.

sh run | inc aaa
aaa new-model
aaa group server tacacs+ ACS-Servers
aaa authentication login ACS-Method-List group ACS-Servers line
aaa authorization exec ACS-Method-List group ACS-Servers if-authenticated
aaa accounting exec ACS-Method-List start-stop group ACS-Servers
aaa accounting commands 15 ACS-Method-List start-stop group ACS-Servers

aaa group server tacacs+ ACS-Servers
server 10.44.129.5
server 10.44.1.5

tacacs-server host 10.44.129.5 key xx
tacacs-server host 10.44.1.5 key xx
tacacs-server directed-request


line vty 0 4
authorization exec ACS-Method-List
accounting commands 15 ACS-Method-List
accounting exec ACS-Method-List
login authentication ACS-Method-List

Thanks

Highlighted
Cisco Employee

Hi there, please add the

Hi there, please add the following commands and try again:

aaa accounting commands 0 ACS-Method-List start-stop group ACS-Servers
aaa accounting commands 1 ACS-Method-List start-stop group ACS-Servers

Thank you for rating helpful posts!

Highlighted
Frequent Contributor

Still not working as I would

Still not working as I would have expected. I have authenticated OK.

Checking the reporting tool, I see it hits my authorisation rule I created. it does not however appear to use my command set I created.

Query - on my shell profile, under common tasks - do I need to set a  default and maximum priv level here if I am trying to restrict the user via my command set? How do the shell profile and command relate to each other?

Thanks

Highlighted
Cisco Employee

Can you provide debugs from:

Can you provide debugs from:

debug tacacs
debug aaa authorization

To answer you question: You can set the user to have privilege level 15 but still restrict him/her to only use a set of commands based on the command set.

Thank you for rating helpful posts!

Highlighted
Frequent Contributor

Hi All,

Hi All,

Seems my ACS side of things was correct. I realised I hadn't put my extra commands under the actual VTY lines. Only in the initial config.

Now working as I would expect. Thank You.

I have a quick query about the following -

line vty 0 4
authorization commands 1 ACS-Method-List
authorization commands 15 ACS-Method-List
authorization exec ACS-Method-List
accounting commands 15 ACS-Method-List
accounting exec ACS-Method-List
login authentication ACS-Method-List

What do the different authorisation entries actually do? E.G when I have commands 1...
commands15...
auth exec...

Do I need all these?

Also looks like I will need to push out the extra authorisation commands to over a few hundred devices to get this working

Highlighted
Enthusiast

You need to add command

You need to add command authorization:

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Javier Henderson

Cisco Systems