Question on Read access on Cisco Routers

hassan_si · ‎12-29-2010

I have an ACS server for AAA authentication for our Routers. We have given read access to our L1 support team so that they can do show, ping commnads on user exec mode. However, once they logged in with read account, they could not find show and ping commands and also its not available under the '?' help.

************

Running config below

!

tacacs-server host 10.223.xx.xx
tacacs-server host 10.223.xx.xx
tacacs-server directed-request
tacacs-server key 7 xxxxxxxxxxx

!

privilege exec level 5 traceroute
privilege exec level 5 ping
privilege exec level 5 show ip route
privilege exec level 5 show ip
privilege exec level 5 show startup-config
privilege exec level 5 show running-config
privilege exec level 5 show

*******************

In addition to that before implementing AAA authenetiocation, we configured Read access user exec mode locally on the Router with privilege leve 5 and it was working fine

After implemeted the ACS, they could login but no show and ping commands under the help command.

wzhang · ‎12-29-2010

Hi,

Are you using AAA authorization to assign the user privilege levels through AAA? When the user logs in, does he/she get the privilege assigned (show privilege)? Could you also share you AAA configuration?

Thanks,

Wen

hassan_si · ‎12-29-2010

Hi Wen,

Are you using AAA authorization to assign the user privilege levels through AAA?

Yes

In ACS, we have same group level setting configured for network Core Switches anf Routers. Under the Group level setting we have given read access mode. In that, Level 1 user able to issue show and ping commnad in other core swithces under the user exec mode.

But,we have issues only with 4 routers which was added recently to the same group level setting in ACS.

The Tacacs config from other Core SW

tacacs-server host 10.223.xx.xx
tacacs-server host 10.223.xx.xx
tacacs-server directed-request
tacacs-server key 7 xxxxxxx

The only difference I can see that there is no privilege level set locally on Core Switches.

Can you confirm if the issue is due to privilige level locally set on Routers?

Thanks,

Hassan

hassan_si · ‎12-30-2010

AAA config on Core swicth and Routers

aaa new-model
!
!
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default stop-only group tacacs+
!
aaa session-id common

cadet alain · ‎12-30-2010

Hi,

Are you using AAA authorization to assign the user privilege levels through AAA?

Yes

then where is aaa authorization command?

aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default stop-only group tacacs+

Regards.

Alain.

Don't forget to rate helpful posts.

Richard Burts · ‎12-31-2010

I believe that Alain has correctly identified the problem as being that you are not using authorization from ACS for the users. The suggestion from Wen to use the show privilege command would be a good way to verify that the users are in fact getting assigned to privilege level 1.

HTH

Rick

HTH

Rick

hassan_si · ‎01-01-2011

Thanks.. Yes AAA authorization not configured on ACS. However, it worked after removing the locally configured Privilege command from Router.

Thanks for ur support

Hassan