Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
1
Replies

Tacacs Command Authorization

sean.cline
Level 1
Level 1

‎05-05-2013 06:10 PM

Hello awsome community

I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants

Tacacs Config Snippit:

group = rancid {

default service = deny

service = exec {

priv-lvl = 15

}

cmd = show {

permit .*

}

cmd = exit {

permit .*

}

cmd = dir {

permit .*

}

cmd = write {

permit term

}

Cisco AAA Configuration:

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login console group tacacs+ local

aaa authentication enable default group tacacs+

aaa authorization console

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?

Labels:
0 Helpful
1 Reply 1

sean.cline
Level 1
Level 1

‎05-05-2013 06:32 PM

Found the issue \o/

I lacked some authorization commands, added the following fixed this issue:

aaa authorization config-commands

aaa authorization commands 1 default group tacacs+

aaa authorization commands 15 default group tacacs+

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card