Tacacs authorization and Priv levels

danielvoldby · ‎09-19-2011

Hi

I'm strugling with TACACS+ and priv levels, and hoping someone out there can help me solve an issue.

So, in this enviroment we need the following:

Read-only users
Users with access to some configuration commands.

Okay, the TACACS configuration for the read-only users looks like this:

group = readonly-users {

default service = deny

cmd = show

{

permit running-config

permit interface

permit privilege

permit vlan

deny .*

}

service = exec

{

priv-lvl = 15

}

# Note that priv lvl 15 has been set to allow the users to run the "show running-config", all other commands than the one mentioned is denied.

The TACACS configuration for the Users with configuration access looks like this.

group = restricted-user {

default service = deny

cmd = show

{

permit interface

permit vlan

permit privilege

deny .*

}

service = exec

{

priv-lvl = 7

}

And the following has been configured on the switches to allow further configurations, these commands we had to enable after I had made the previous read-only user in tacacs:

privilege interface level 7 switchport access vlan

privilege interface level 7 switchport mode access

privilege interface level 7 switchport voice vlan

privilege configure level 7 interface

privilege exec level 7 configure terminal

privilege exec level 7 show running-config

privilege exec level 7 write memory

It all worked just fine, the read-only users only had access to the commands configured in TACACS. But when I configured the users with configuration access and enter the privilege commands on the switch it stopped working.

Somehow the privilege commands on the switch applies to all privilege levels above lvl 7. Meaning that my read-only users with priv lvl 15, all commands exept show commands denied, they can suddenly enter priviledged exec mode because I allowed the priv lvl 7 users to enter it.

This does not make sense to me, because I've read on cisco's HP that when configuring privilege level commands on the equipment, you allow only that level to access the command, and not all above.

I hope someone can help me with this issue, and it should be solved in the TACACS configuration, because the TACACS server is controlling over 500 switches and routers. So it aint just a question of reconfiguring the switches, that would take the rest of 2011.

I hope you guys know the answer to this.

Thanks in advance.

Kind regards

danielvoldby · ‎09-22-2011

Bump

No one knows the golden path to this solution? :-)

Javier Henderson · ‎09-23-2011

A user at privilege level 15 can execute commands at any privilege level. You assigned privilege level 7 to some configuration commands, so those commands will execute at that level. You're denying everything except some show commands at privilege level 15, but you don't have an explicit action for level 7.

I think you're complicating things a bit too much with changing privilege levels. Why don't you just assign both sets of users privilege level 15 and restrict commands that each group can execute?

danielvoldby · ‎09-26-2011

Thanks for your answer.

Well when I started to configure this TACACS setup, I tried to create 2 profiles with privilege level 15 and just allow/deny the different commands. But the thing is that you cannot allow all commands in the TACACS configuration. For example, you cannot give a user privilege level 15 and deny all commands, but allow the user to configure VLANs on interfaces, and duplex settings which is what I want the users to be able to do.

That's why I needed to configure the commands to be accessable from privilege level 7 on the equipment.

If only I could create a profile with privilege level 15 and give the user access to the commands he needs, and only those from the TACACS configuration file, that would make it allot easier, but that just aint the way TACACS works, unfortunately.

danielvoldby · ‎10-12-2011

Bump

Still no TACACS Pro's? :-)