Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
2
Replies

Why does "Only Show" allow the enable command, but prevent "show" commands?

gruntsbp40
Level 1
Level 1

‎01-19-2015 04:57 PM - edited ‎03-10-2019 10:21 PM

I'm having trouble understanding AAA processing logic. I just followed this guide to set up differentiated user level authentication profiles via TACACS+ on ACS version 5.6:

http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html

This aaa model on the switch did not work at all:

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization console
aaa authorization exec default group tacacs+ 

Because even though ACS was configured to allow his user group "Only show" commands, a "maximum privilege level" of 1 still allows a user to enable the device if he knows the enable password. It wasn't until the following was added to the configuration:

aaa authentication enable default group tacacs+ enable

That the users were prevented from enabling the router, but only after it allowed them to attempt to input the enable password:

Switch>en
password: 
% Error in authentication.

We would rather prevent users in this lower level group access to the enable command all-together and prefer that the command set "Only Show" really meant "Only Show".

Is there a reference somewhere that clearly outlines the aaa decision tree and the configuration elements that affect each branch of that tree. Why would authorization associated to a shell profile that allows "Only show" commands NOT allow a SHOW RUN which is a show command, but would allow "enable" which is NOT a show command?  

(I get that the reason "show run" failsis that "show run" is a priv 15 command, but does that mean "enable" is a priv 1 comand?)

Thanks!

Labels:
0 Helpful
2 Replies 2

gruntsbp40
Level 1
Level 1

‎01-19-2015 05:02 PM

I guess what I'm saying is that it functions like command authorization doesn't do anything - that the authentication part of aaa is really what's in control of access to certain commands. Regardless of the authorization policy assigned to a given user, if the authentication piece doesn't preclude a user from enabling the device, then command authorization has no effect. Why does it appear this way?

0 Helpful

lucasmarcel
Level 1
Level 1
In response to gruntsbp40

‎06-10-2015 03:23 PM

I ran into a similar issue. For command authorization to work in the first place, the switch/router needs to be send the commands for authorization to the ACS using  a command similar to:

aaa authorization commands X MyList group tacacs+ local

where X is the command level.

I found out that "enable" is a level 0 command, while I was authorizing level 1 and 15 only, so my command set blocking the "enable" command was never invoked.

Ref: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html

" There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set. "

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents