Solved: Problem prohibiting a user from using the "enable" command via linux tacacs+ server

starbuck33 · ‎12-12-2019

I have a problem with prohibiting the "enable" command for a user "noob" via linux tacacs+ server.

I can authenticate and log into the cisco device as "noob" via the linux tacacs+ server, "noob" has privilege lvl 1 as supposed, but is still able to use the "enable" command and also achive privilige lvl15 with it. What am I missing?

here the configs:

Cisco Router config:

!
enable secret 5 %1$SiyQ$rOXXXXXXXX1ZwOZQWHmoKJ8f
!
aaa new-model
!
aaa authentication login M-LOGIN group tacacs+ local
aaa authorization config-commands
aaa authorization exec M-EXEC group tacacs+ local
aaa authorization commands 0 M-LVL-0 group tacacs+ local
aaa authorization commands 1 M-LVL-1 group tacacs+ local
aaa authorization commands 15 M-LVL-15 group tacacs+ local
aaa accounting exec M-ACCT-EXEC start-stop group tacacs+
aaa accounting commands 1 M-1-ACCT start-stop group tacacs+
aaa accounting commands 15 M-15-ACCT start-stop group tacacs+
!
username user1 privilege 15 secret 5 P1dsafXXXXXXXXERHQIrr_8sfw
!
!
!
tacacs server test
address ipv4 192.168.0.1
key 7 XXXXXXXXXXXXXXXX19XXXXXXXXXx123F20291718
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
line vty 0 4
authorization commands 0 M-LVL-0
authorization commands 1 M-LVL-1
authorization commands 15 M-LVL-15
authorization exec M-EXEC
accounting commands 1 M-1-ACCT
accounting commands 15 M-15-ACCT
accounting exec M-ACCT-EXEC
login authentication M-LOGIN
transport input ssh
!

-----------------------------------------------------------------

Debian /etc/tacacs+/tac_plus.conf:

accounting file = /var/log/tac_plus.acct
key = "XXXXXXXxxxxxXXXXXxxxxxXXX"

group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}

group = test {
cmd = enable { deny .* }
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
}

user = user1 {
member = admins
login = des GXXXXXXXXZEQu
}

user = noob {
member = test
login = des F9XXXXXXXXOTu
}

hslai · ‎12-14-2019

I am not experience with the app you using. I would recommend either try its own support forum and switch to our product.

From what I can tell, you should be able to remove the enable cmd from the group "test".

View solution in original post

hslai · ‎12-14-2019

I am not experience with the app you using. I would recommend either try its own support forum and switch to our product.

From what I can tell, you should be able to remove the enable cmd from the group "test".

starbuck33 · ‎12-16-2019

Your answer is not competent or helpful in any way. Can I mark it as spam? Have a nice day.

Jason Kunst · ‎12-17-2019

@starbuck33 wrote:

Your answer is not competent or helpful in any way. Can I mark it as spam? Have a nice day.

It seems as thought you're asking about how to use a 3rd party server? This forum is for using ISE AAA server. Please repost your question to the TACACS+ server forum

starbuck33 · ‎12-18-2019

This right here is the ignorance, arrogance and incompetence I also unfortunately got used to receive from Cisco TAC in recent years (of course there are a few positive exceptions..). Combined with the bad software quality and crappy customer service (for example: Nexus updates, clock issue handling (took years! wtf...), Cisco Prime IS + Collaboration - anyone? what a piece of garbage) and confusing licensing policies, Cisco with its greedy politics is not making many new friends.