Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
4
Replies

Tacacs + AAA

fabioosantos
Level 1
Level 1

‎10-21-2004 07:04 AM - edited ‎03-10-2019 01:51 PM

Hi.. My name is Fabio, I work on brazil like network manager. I placed Tac_plus to work on Linux, because it is needed to restrict some users accesses to routers. In the first case where users are able to give show and config commands referring "RTR" that works well for show commands but not when user this inside config mode.

See log below.

Wed Oct 13 22:43:38 2004 10.121.9.66 test tty2 192.168.32.8 stop task_id=210 timezone=GMT-3 service=shell start_time=1097729277 priv-lvl=15 cmd=configure terminal

Wed Oct 13 22:43:48 2004 10.121.9.66 test tty2 192.168.32.8 stop task_id=211 timezone=GMT-3 service=shell start_time=1097729287 priv-lvl=15 cmd=line console 0

see the cofig

group = users {

default service = deny

service = exec {

priv-lvl = 15

}

}

##############################

#All services are alowed..

user = DEFAULT {

service = ppp protocol = ip {}

}

user = test {

login = cleartext xxxx

member = users

service = exec {

priv-lvl= 15 }

cmd = enable {

permit .* }

cmd = configure {

permit "terminal" }

cmd = rtr {

permit .* }

cmd = show {

permit "rtr"

deny .* }

cmd = exit {

permit .* }

}

My problem is, in config mode the user test have a full authorization command.

Thanks...

Fábio

Labels:
0 Helpful
4 Replies 4

scottosan
Level 1
Level 1

‎10-21-2004 08:00 AM

How did you configure the routers? The config should look something along the lines of this with some room for variation:

aaa new-model

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

0 Helpful

fabioosantos
Level 1
Level 1
In response to scottosan

‎10-21-2004 08:59 AM

I didn't place the command "aaa authorization config-commands" in my configuration. I am going to place and to verify the result.

Thank´s

Fábio

0 Helpful

fabioosantos
Level 1
Level 1
In response to fabioosantos

‎10-21-2004 10:11 AM

Hi,

Scottosan,

The command aaa authorization config-commands fixed my problem. Thank´s you very much.

Regards,

Fábio

0 Helpful

scottosan
Level 1
Level 1
In response to fabioosantos

‎10-21-2004 10:28 AM

your welcome

0 Helpful
Customers Also Viewed These Support Documents