02-09-2011 01:17 AM - edited 03-10-2019 05:48 PM
Hi
I am facing problem related to command set authorization. We want to restrict only “show running-config” to the one group called netadmin, all other commands including “show *” should be denied.
I created on user (netadmin) on local and also created on identity group (netadmin) and joined the user to netadmin identity group.
I configured the shell level privilege 15 and configured the command set authorization and applied on identity group through.
Command setis as follow.
-----------------
Grant command argument
Permit show running-config
----------------------------
Problem is netadmin user is able to run all show command, we want him to run only one command “show running-config”.
He is not able to run “config t” and giving message “authorization failed”
Regards,
Vashdev
Solved! Go to Solution.
02-09-2011 03:09 AM
Before you troubleshoot this issue make sure that you've standard command authorization on the switch.
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
You are missing the below listed commandaaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
After that try again and see what you see in ACS failed attempts?
Rgds, Jatin
Do rate helpful posts~
02-09-2011 01:50 AM
Command set is bit incorrect. It should look like;
Grant Command Argument
Show permit running-config
You may look at the below listed example
Rgds, Jatin
Do rate helpful posts~
02-09-2011 01:59 AM
I already tried permit word inside the argument, followed the same document which you mentioned but it’s not working.
02-09-2011 02:40 AM
What do you see in the failed attempts?
Also, paste the output of the command, show run | in aaa
run th debugs on the device
debug tacacs
debug aaa authen
debug aaa author
Rgds, Jatin
Do rate helpful posts-~
02-09-2011 03:01 AM
Hi
Here is the AAA configuration of switch. now i don't have the access to switch to get the debug. as soon as i get the access i will collect the debug and post it.
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec CONSOLE if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
02-09-2011 03:09 AM
Before you troubleshoot this issue make sure that you've standard command authorization on the switch.
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
You are missing the below listed commandaaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
After that try again and see what you see in ACS failed attempts?
Rgds, Jatin
Do rate helpful posts~
02-09-2011 04:55 AM
Hi Jatin,
After applying the suggested aaa configuration on switch it working fine.
thx for your support
Regards,
Vashdev
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: