02-27-2004 01:35 AM - edited 03-02-2019 01:53 PM
Hi All,
We have AAA enabled on all of our devices within the network but are unable to manage our Cat Switches via CMS. Authentication of users gaining access is performed on the ACS server. I have only used CMS before via authentication through the local database. Does anybody know of a workaround for this problem?
Many Thanks
Stevep
02-29-2004 01:40 PM
For CMS you are required to have level 15 privilege. When you connect to a device you are by default given level 0 privilege, when you enter enable mode you are granted level 15 - this is where you need to be at to use CMS (or the http server).
I have managed this before by making the user a level 15 privilege user by default on the ACS Server - I can't remember exactly where when configuring the user on ACS, but there is definately an option for a user to have level 15 access by default.
Andy
02-29-2004 07:54 PM
I believe what you're looking for is this:
aaa authentication login default tacacs local
aaa authorization exec default local
ip http authentication aaa
Unless I'm too tired to remember, this should provide access to the router/switch via either telnet or http to use your configured tacacs server. A side effect will probably be that immediately upon logging in via telnet you will be in enable mode, desirable for some, but not others.
03-01-2004 03:36 AM
Thanks for your replies guys, but neither solutions work. I checked out our ACS server which was already setup to make all users a level 15 privilege user by default. Likewise for the other suggestion of:
aaa authentication login default tacacs local
aaa authorization exec default local
ip http authentication aaa
If TACACS+ is enabled and online then authentication will never fall back to local auth.
I did find a workaround though, with this command.
ip http authentication enable
This still allows for all users to be authenticated via AAA but http server will use the enable password. Not the best solution, but still a workaround.
Cheers
Stevep
03-02-2004 04:51 AM
Hi:
CMS works only in two profiles:
READ-WRITE for users with prv. level 15
READ-ONLY for users with oterh prv levels.
If you want some kind of managenent try other tools provided by cisco´s http interface, like monitor switch at some prv level. This allows you to run some IOS commands on the web interface.
You should gain a priv. level access by using the URL http://device_IP/level/priv_level
You should also limit the commands asuthorized to that level by using tacacs+ or local authorization
Regs
Jose Manuel
03-03-2004 05:24 AM
Hi:
It seems to work :-)
I tested with ACS 3.1 and a Cat 3550G-24T IOS 12.1(19)EA1a
You should firt define a Tacacs+ user group that assigns priv level 15 to the users, also you shoud restrict the commands that group can use.
You can do this by asigning the apropiate Shell Command authoritation set to the group.
When you access to the web interface, you are prompted for a level 15 username and pass: the username that has restrictions on the commands has priv level 15.
You can navigate as usual, but when apliying changes, command authorization is requested, and acts as configured in the Shell command authorization set. If a command is not granted, it cannot be executed and the web interface warns about when applying changes.
I added to the config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
ip http authentication aaa
and defined the appropiate on ACS.
Regs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide