Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4358
Views
0
Helpful
4
Replies

TACACS+ and authorization "conf-t" commands (IOS)

Go to solution
o-evdokimov
Level 1
Level 1

‎01-16-2014 02:33 AM - edited ‎03-10-2019 09:17 PM

Hi

Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?

Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.

For example tac_plus.conf:

I need something like this (fictional syntax):

    service = configure {

       cmd = interface { permit FastEthernet .* }

       cmd = switchport { deny access .* }

    }

it's already works well:

    service = exec {

       priv-lvl = 3

    }

    cmd = ping { permit .* }

    cmd = wrire { deny memory }

Thank you for any ideas.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tushar Gaba
Cisco Employee
Cisco Employee

‎01-16-2014 06:46 AM

Hi Oleg ,

The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"

Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .


Sent from Cisco Technical Support Android App

View solution in original post

0 Helpful

Go to solution
sriramojurajiv
Level 1
Level 1

‎01-16-2014 07:15 AM

Hi Oleg,

here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command

"acs#aaa authorization config-commands"

now after giving you can give any global configuration commands like

"acs(config)#interface FastEthernet "

either you permit or deny.this command gets  authorizes with tacacs+ server.

-thanks,

Rajiv

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tushar Gaba
Cisco Employee
Cisco Employee

‎01-16-2014 06:46 AM

Hi Oleg ,

The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"

Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
o-evdokimov
Level 1
Level 1
In response to Tushar Gaba

‎01-20-2014 01:53 PM

It's work. Thank you, Tushar.

0 Helpful

Go to solution
sriramojurajiv
Level 1
Level 1

‎01-16-2014 07:15 AM

Hi Oleg,

here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command

"acs#aaa authorization config-commands"

now after giving you can give any global configuration commands like

"acs(config)#interface FastEthernet "

either you permit or deny.this command gets  authorizes with tacacs+ server.

-thanks,

Rajiv

0 Helpful

Go to solution
o-evdokimov
Level 1
Level 1
In response to sriramojurajiv

‎01-20-2014 01:54 PM

Rajiv, thank you for help too.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents