TACACS+ for Device Management Security

valastra · ‎03-23-2003

Just would like to ask your assistance and more ideas about the above subject.

When TACACS+ is used for device management ( example; in a router ), when a user is defined in the ACS that he should not be able to use reload/copy commands inside the router. After defining it, why at CLI mode the authorization commands being defined which is to deny it will not take effect. It took effect only at telnet mode.

What security commands can be applied at the router side or at the ACS side that even at CLI mode, a user is also controlled what commands he is allowed to input/used.

Thank you and looking forward for your suggestions/work arounds.

Vivira Alastra

sghosh · ‎03-26-2003

What do you mean by CLI mode, is it the console connection, in certain version authorization is disabled in console and that could be the reason.

Have you addedd the command

aaa authorization config-commands

and see if there is any difference.

mhoda · ‎03-27-2003

If you are referring CLI to be EXEC (privileg mode) then probably you are missing command authorization lines missing.

aaa authorization exec default tacacs+ local

aaa authorization commands 0 default tacacs+ local

aaa authorization commands 15 default taccas+ local

If you have the above commands and still if it doesn't work, then my suggestion would be give us the profile, possibility that profile was not created properly.

ciscotopgun · ‎04-01-2003

To make your authorization work while connected to the console, use this hidden command

aaa authorization console

If you are accessing the console using a reverse telnet connection, use this published command

aaa authorization reverse-access default / list-name method1..method2