cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1341
Views
10
Helpful
12
Replies

AAA, Tacacs+ and ACS

jonhill
Level 1
Level 1

I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.

What I have so far on the switch is

enable secret 5 removed

username admin privilege 15 password 7 removed

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

The local admin logins in perfectly fine when the switch is not connected to the network.

When I connect the switch to the network and login using my AD credentials it works a treat.

When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below

% Error in authentication.

.Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console

I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.

I'm at a loss to know why this isn't work so any help would be much appreciated.

Thanks

Jon

12 Replies 12

Jatin Katyal
Cisco Employee
Cisco Employee

what error do you see on ACS 4.1 > reports and activity > failed attempt.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

The error ACS is reporting is User exceeded max sessions

Checked max session for the group and they're set at unlimited.

Please make sure we have nothing configured on the user level because user settings always take precedence over group. Also, please post the screen shot of max session settings from group level.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

See below group and user Max session settings.

The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.

You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.

Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

You would see few examples of read-only access and read-write access.

You may also let me know what all command you would like to allow for read-only access.

Please feel free to let me know if you need any further assistance.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

I flattened the aaa config on the switch and started from scratch on the ACS and configured both as per the Cisco doc you shared with the addition of the aaa authentication login default group tacacs+ local.

When I came to the user config it asks to assign the command authorisation set at the user level as well as the group level, I don't have the option within ACS to assign any command authorisation sets at the user leve.

When I tested the config by logging in with the restrictive access account it didn't restrict any of the commands and allowed everything.

Thanks

In order to assign shell command authorization on the user level, please check the option under interface configuration > Tacacs+ (Cisco) > Check Shell (exec) under user as well.

To verify why it's not restricting the user with read-only access, please post the output of

show run | in aaa

I need to see if you have command authorization configured correctly.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

see below aaa output

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa session-id common

Seems fine. Can you show me how you have created restricted command set on ACS and where we have applied.

If that would look good, we will fetch the following debugs

debug tacacs+

debug aaa authentication

debug aaa authorization

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

User

Group

that looks good too

What all have you tried in your testing? Can you pick any example that shouldn't work for you and it's working.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

I've logged in the a test account called admin which is part of the Restrict Access group and the users configured for the command set as well.

When I've logged in I've done the following commands

conf t

interface fa0/3

duplex full

which have all worked.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: