cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3386
Views
0
Helpful
4
Replies
o-evdokimov
Beginner

TACACS+ and authorization "conf-t" commands (IOS)

Hi

Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?

Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.

For example tac_plus.conf:

I need something like this (fictional syntax):

    service = configure {

       cmd = interface { permit FastEthernet .* }

       cmd = switchport { deny access .* }

    }

it's already works well:

    service = exec {

       priv-lvl = 3

    }

    cmd = ping { permit .* }

    cmd = wrire { deny memory }

Thank you for any ideas.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Tushar Gaba
Cisco Employee

Hi Oleg ,

The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"

Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .


Sent from Cisco Technical Support Android App

View solution in original post

sriramojurajiv
Beginner

Hi Oleg,

here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command

"acs#aaa authorization config-commands"

now after giving you can give any global configuration commands like

"acs(config)#interface FastEthernet "

either you permit or deny.this command gets  authorizes with tacacs+ server.

-thanks,

Rajiv

View solution in original post

4 REPLIES 4
Tushar Gaba
Cisco Employee

Hi Oleg ,

The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"

Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .


Sent from Cisco Technical Support Android App

View solution in original post

It's work. Thank you, Tushar.

sriramojurajiv
Beginner

Hi Oleg,

here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command

"acs#aaa authorization config-commands"

now after giving you can give any global configuration commands like

"acs(config)#interface FastEthernet "

either you permit or deny.this command gets  authorizes with tacacs+ server.

-thanks,

Rajiv

View solution in original post

Rajiv, thank you for help too.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel