cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
582
Views
0
Helpful
2
Replies

Why does "Only Show" allow the enable command, but prevent "show" commands?

gruntsbp40
Level 1
Level 1

I'm having trouble understanding AAA processing logic. I just followed this guide to set up differentiated user level authentication profiles via TACACS+ on ACS version 5.6:

http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html

This aaa model on the switch did not work at all:

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization console
aaa authorization exec default group tacacs+ 

Because even though ACS was configured to allow his user group "Only show" commands, a "maximum privilege level" of 1 still allows a user to enable the device if he knows the enable password. It wasn't until the following was added to the configuration:

aaa authentication enable default group tacacs+ enable

That the users were prevented from enabling the router, but only after it allowed them to attempt to input the enable password:

Switch>en
password: 
% Error in authentication.

We would rather prevent users in this lower level group access to the enable command all-together and prefer that the command set "Only Show" really meant "Only Show".

Is there a reference somewhere that clearly outlines the aaa decision tree and the configuration elements that affect each branch of that tree. Why would authorization associated to a shell profile that allows "Only show" commands NOT allow a SHOW RUN which is a show command, but would allow "enable" which is NOT a show command?  

(I get that the reason "show run" failsis that "show run" is a priv 15 command, but does that mean "enable" is a priv 1 comand?)

Thanks!

2 Replies 2

gruntsbp40
Level 1
Level 1

I guess what I'm saying is that it functions like command authorization doesn't do anything - that the authentication part of aaa is really what's in control of access to certain commands. Regardless of the authorization policy assigned to a given user, if the authentication piece doesn't preclude a user from enabling the device, then command authorization has no effect. Why does it appear this way?

I ran into a similar issue. For command authorization to work in the first place, the switch/router needs to be send the commands for authorization to the ACS using  a command similar to:

aaa authorization commands X MyList group tacacs+ local

where X is the command level.

I found out that "enable" is a level 0 command, while I was authorizing level 1 and 15 only, so my command set blocking the "enable" command was never invoked.

Ref: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html

" There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set. "

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: