Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2051
Views
0
Helpful
3
Replies

Tacacs Authorization on ACS

SDWorx_2
Level 3
Level 3

‎05-25-2004 07:01 AM - edited ‎03-10-2019 07:50 AM

Hello,

I'm new to authorization on Cisco ACS server.

I'm wrestling a couple of days on getting the authorization working.

What I would like to archive is limit the commands executed on our Cisco material. I would like to have an "any" for us, and a limited command set for other users.

This is what I already configured:

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated (any explanation on this? )

tacacs-server host x.x.x.x

tacacs-server key "hidden"

line vty 0 4

password "hidden"

login authentication default

line vty 5 15

password "hidden"

login authentication default

On the ACS server.

PPP and Shell (exec) checked.

many Thanks

Koen

Labels:
0 Helpful
3 Replies 3

ecaballero
Community Member

‎05-26-2004 08:51 AM

Here is a configuration that works quite well. It will use TACACS for authentication and authorization. It is a good idea to have a backup authentication and authorization scheme such as Line or None, in case your Tacacs server goes down or is misconfigured. That way you can still get into your router in an emergency.

aaa new-model

aaa authentication login vtymethod group tacacs+ line

aaa authorization exec vtymethod group tacacs+ none

aaa authorization commands 1 vtymethod group tacacs+ none

aaa authorization commands 15 vtymethod group tacacs+ none

line vty 0 4

password 7 *omitted*

authorization commands 15 vtymethod

authorization exec vtymethod

login authentication vtymethod

I am using Cisco Secure ACS 3.2 for Windows.

On the ACS you must have shell exec checked, and also privilege level selected with the level set to 15.

Then you need to create a IOS command set to either permit or deny certain commands.

Then you can run debug aaa authorization on your router to troubleshoot.

Give that a try and see how it goes.

0 Helpful

SDWorx_2
Level 3
Level 3
In response to ecaballero

‎05-27-2004 08:12 AM

Hi,

Many thanks for your respons!!!

I haven't been able to test this configuration since it has been a very busy day today.

Hope I can test it tomorrow.

Thanks for your help, and I keep you informed about the results.

Koen

0 Helpful

SDWorx_2
Level 3
Level 3
In response to ecaballero

‎05-28-2004 03:22 AM

Hello,

Many thanks for you help!! This configuration works very well as you already mentioned!!!

This only thing I'm not really happy with is the fact that when I logon I'm immediate in enable mode. This is very handy, but not really secure. I'll look around for disabling this.

An other (maybe stupid) question is why you have to configure the 2 different levels on the switch. This is not really clear to me.

many thanks for your help and have a very nice weekend.

Regards

Koen

0 Helpful
Customers Also Viewed These Support Documents