cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3967
Views
0
Helpful
21
Replies

Users authorized commands

rrcarter79
Level 1
Level 1

I want to restrict some users to "show running-config" command.

I have created a Shell Command Authorization Set with "show" command "permit running-config". Under the TACACS+ setting the Shell (exec) is selected and Privilege level with a value of 5. The SCAS is associated to the username.

Config on a Router:

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization exec vty group tacacs+ local

aaa authorization commands 5 vty group tacacs+

...

line vty 0 4

exec-timeout 30 0

password ***Deleted****

authorization exec vty

login authentication vty

The user gets the privilege of 5 when logged in but is unable to execute the command show running-config.

Thanks

21 Replies 21

- config - session - debug

allows "line vty 0 4"

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec vty group tacacs+ local

aaa authorization exec console local

aaa authorization commands 5 vty group tacacs+

aaa authorization commands 15 vty group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Unauthorized access is strictly prohibited!

Username: username

Password:

LabrtrB#config t

Enter configuration commands, one per line. End with CNTL/Z.

LabrtrB(config)#line vty 0 4

LabrtrB(config-line)#end

LabrtrB#quit

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 21 13:47:34.842: AAA: parse name=tty3 idb type=-1 tty=-1

Jan 21 13:47:34.842: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jan 21 13:47:34.842: AAA/MEMORY: create_user (0x629C5BEC) user='' ruser='' port='tty3' rem_addr='16.47.207.61' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): Port='tty3' list='vty' service=EXEC

Jan 21 13:47:38.362: AAA/AUTHOR/EXEC: tty3 (1080771678) user='username'

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): send AV service=shell

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): send AV cmd*

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): found list "vty"

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): Method=tacacs+ (tacacs+)

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): user=username

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): send AV service=shell

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): send AV cmd*

Jan 21 13:47:38.566: AAA/AUTHOR (1080771678): Post authorization status = PASS_ADD

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Authorization successful

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): Port='tty3' list='vty' service=CMD

Jan 21 13:47:40.790: AAA/AUTHOR/CMD: tty3 (1219681448) user='username'

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV service=shell

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd=configure

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd-arg=terminal

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd-arg=

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): found list "vty"

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): Method=tacacs+ (tacacs+)

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): user=username

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV service=shell

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd=configure

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd-arg=terminal

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd-arg=

Jan 21 13:47:40.994: AAA/AUTHOR (1219681448): Post authorization status = PASS_ADD

Jan 21 13:47:45.006: AAA: parse name=tty4 idb type=-1 tty=-1

Jan 21 13:47:45.006: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0

Jan 21 13:47:45.006: AAA/MEMORY: create_user (0x62AAF52C) user='' ruser='' port='tty4' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:45.606: AAA/MEMORY: free_user (0x62AAF52C) user='' ruser='' port='tty4' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): Port='tty3' list='vty' service=CMD

Jan 21 13:47:47.490: AAA/AUTHOR/CMD: tty3 (1403778660) user='username'

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV service=shell

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd=line

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=vty

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=0

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=4

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): found list "vty"

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): Method=tacacs+ (tacacs+)

Jan 21 13:47:47.490: AAA/AUTHOR/TAC+: (1403778660): user=username

Jan 21 13:47:47.490: AAA/AUTHOR/TAC+: (1403778660): send AV service=shell

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd=line

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=vty

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=0

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=4

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=

Jan 21 13:47:47.694: AAA/AUTHOR (1403778660): Post authorization status = PASS_ADD

Jan 21 13:48:09.890: %SYS-5-CONFIG_I: Configured from console by username on vty1 (x.x.x.x)

Note, the output shows the TAC+ server allowing the commands. Did you explicitly deny them? If so, check your configuration. I have never did this in CSNT but this is where the issue lies.

I configured the commands that I want the users to be able to execute. I checked the box that deny and unmatched commands.

Commands allowed:

config - permit term

help

traceroute

ping

show

location

logout

Just tested in the lab, worked fine.

I created a SCAS permitting the commands you want to permit. Unmatched commands was checked and the Permit Unmatched Arguments was not selected. The SCAS was assigned to the group.

For the location command, enter location as the command and whatever you argument you wish to permit, eg. , permit NMS.

The only difference, is I did not use a list for the vty ports, I used default. Here is my config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

I want to do something similar to what you are doing, i want to have two groups in ACS, one that has a number of users that have full access to routers and, another group that can only do a show log, version and interfaces

After messing around for some time I came here and saw that I am not alone!

Can you post the working router config

I'll buy you a cold one next time you are in Ozz

regards Richard.

Hi Richard,

Assuming you already have configured your device or devices in the ACS properly, here is my recommendation:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login NO_AUTHEN none

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 NO_AUTHOR none

username backdoor privilege 15 password

line con 0

authorization commands 15 NO_AUTHOR

authorization exec NO_AUTHOR

login authentication NO_AUTHEN

This provides you a mechanism to login with the local account if the connection to the ACS goes down or you receive an error. It also disables AAA on the console port, but that is subject to your requirements.

For the group you want to have full access, assign privilege level 15 and under Shell Command Authorization Set, click Per Group Command Authorization, Permit unmatched commands and arguments.

For the group you only want to permit the three show commands, assign privilege level 1. Under SCAS, select Per Group Command Authorization,

Deny unmatched commands and arguments. Then click command and in the block type show, then below:

permit log

permit version

permit interface

I'll hold you to that beer if I am ever in Ozz. ;-)

Thanks

I'll give it a go

Richard.