01-16-2014 02:33 AM - edited 03-10-2019 09:17 PM
Hi
Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?
Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.
For example tac_plus.conf:
I need something like this (fictional syntax):
service = configure {
cmd = interface { permit FastEthernet .* }
cmd = switchport { deny access .* }
}
it's already works well:
service = exec {
priv-lvl = 3
}
cmd = ping { permit .* }
cmd = wrire { deny memory }
Thank you for any ideas.
Solved! Go to Solution.
01-16-2014 06:46 AM
Hi Oleg ,
The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"
Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .
Sent from Cisco Technical Support Android App
01-16-2014 07:15 AM
Hi Oleg,
here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command
"acs#aaa authorization config-commands"
now after giving you can give any global configuration commands like
"acs(config)#interface FastEthernet "
either you permit or deny.this command gets authorizes with tacacs+ server.
-thanks,
Rajiv
01-16-2014 06:46 AM
Hi Oleg ,
The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"
Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .
Sent from Cisco Technical Support Android App
01-20-2014 01:53 PM
It's work. Thank you, Tushar.
01-16-2014 07:15 AM
Hi Oleg,
here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command
"acs#aaa authorization config-commands"
now after giving you can give any global configuration commands like
"acs(config)#interface FastEthernet "
either you permit or deny.this command gets authorizes with tacacs+ server.
-thanks,
Rajiv
01-20-2014 01:54 PM
Rajiv, thank you for help too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide