Show commands only - ACS 5.6

GRANT3779 · ‎06-14-2016

I have ACS 5.6 and trying to configured various roles, once of them being show commands only for people who are a member of a certain AD group.I have all the AD integration side of things done.

I was following this document -

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

I created my command set as per attached, however when I login with the test AD account, they have show access which is OK, but things like telnet still work. They are unable to get into configuration mode which is good.

My end result I want to achieve is to have anyone in a certain AD group to have access to show commands and nothing else. AD side of things is good.

Any Pointers?

Javier Henderson · ‎06-14-2016

Can you please post the router/switch configuration?

At least the AAA related portions.

Javier Henderson

Cisco Systems

GRANT3779 · ‎06-14-2016

Hi,

The AAA commands are working OK for user accounts in a different AD group which has Full Access. Anyways, here is a portion from one of the switches.

sh run | inc aaa
aaa new-model
aaa group server tacacs+ ACS-Servers
aaa authentication login ACS-Method-List group ACS-Servers line
aaa authorization exec ACS-Method-List group ACS-Servers if-authenticated
aaa accounting exec ACS-Method-List start-stop group ACS-Servers
aaa accounting commands 15 ACS-Method-List start-stop group ACS-Servers

aaa group server tacacs+ ACS-Servers
server 10.44.129.5
server 10.44.1.5

tacacs-server host 10.44.129.5 key xx
tacacs-server host 10.44.1.5 key xx
tacacs-server directed-request

line vty 0 4
authorization exec ACS-Method-List
accounting commands 15 ACS-Method-List
accounting exec ACS-Method-List
login authentication ACS-Method-List

Thanks

nspasov · ‎06-14-2016

Hi there, please add the following commands and try again:

aaa accounting commands 0 ACS-Method-List start-stop group ACS-Servers

aaa accounting commands 1 ACS-Method-List start-stop group ACS-Servers

Thank you for rating helpful posts!

GRANT3779 · ‎06-15-2016

Still not working as I would have expected. I have authenticated OK.

Checking the reporting tool, I see it hits my authorisation rule I created. it does not however appear to use my command set I created.

Query - on my shell profile, under common tasks - do I need to set a default and maximum priv level here if I am trying to restrict the user via my command set? How do the shell profile and command relate to each other?

Thanks

nspasov · ‎06-15-2016

Can you provide debugs from:

debug tacacs

debug aaa authorization

To answer you question: You can set the user to have privilege level 15 but still restrict him/her to only use a set of commands based on the command set.

Thank you for rating helpful posts!

GRANT3779 · ‎06-17-2016

Hi All,

Seems my ACS side of things was correct. I realised I hadn't put my extra commands under the actual VTY lines. Only in the initial config.

Now working as I would expect. Thank You.

I have a quick query about the following -

line vty 0 4
authorization commands 1 ACS-Method-List
authorization commands 15 ACS-Method-List
authorization exec ACS-Method-List
accounting commands 15 ACS-Method-List
accounting exec ACS-Method-List
login authentication ACS-Method-List

What do the different authorisation entries actually do? E.G when I have commands 1...
commands15...
auth exec...

Do I need all these?

Also looks like I will need to push out the extra authorisation commands to over a few hundred devices to get this working

Javier Henderson · ‎06-14-2016

You need to add command authorization:

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Javier Henderson

Cisco Systems