Solved: Re: Specific rights to a Switch

jorge.s · ‎09-03-2007

Hi,

we are having TACACS+ authentication with a Cisco ACS v3.3, and we are now trying to built some user's with specic rights. For example

- Assign ports to VLAN

- Change the description of a port

How can I set-it-up? do I need to define anything on switch side or is all in Cisco ACS?

Jorge

Jagdeep Gambhir · ‎09-04-2007

Hi,

This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:

IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Set Based -

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |

telnet | both]

B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

C. Define user/group level command authorization

**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.

1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).

Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.

7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.

Regards,

~JG

View solution in original post

royalblues · ‎09-04-2007

jagdeep has given a wonderful explanation of the process.

you can also go through the attached doc which gives you some examples as well

HTH

Narayan

View solution in original post

Jagdeep Gambhir · ‎09-05-2007

Jorge,

Concept remains same for config t aswell. I have attached the screen shot of authorization set.

I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.

In this way you can set it up as per your need.

Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).

All the best !

Regards,

~JG

View solution in original post

Edison Ortiz · ‎09-03-2007

At the ACS, you configure the user and associate such user to a specific privilege level (non 15)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/u.html

Then at the switch, you add the commands that are allowed for that privilege level

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_p1h.htm#wp1140010

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm

rajatsetia · ‎09-03-2007

Hi,

You can also use shell authorization command set to define the particular commands that a user/user group can execute for a particular Device/ Network Device Group (if defined).

You must have received the documentation CDs with ACS package which is sufficient to explain the configuration part.

HTH

rgds

Jagdeep Gambhir · ‎09-04-2007

Hi,

This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:

IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Set Based -

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |

telnet | both]

B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

C. Define user/group level command authorization

**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.

1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).

Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.

7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.

Regards,

~JG

royalblues · ‎09-04-2007

jagdeep has given a wonderful explanation of the process.

you can also go through the attached doc which gives you some examples as well

HTH

Narayan

jorge.s · ‎09-05-2007

This has been a great explanation!!! Thanks.

But what about if I want to allow only some configurations in Configure Terminal mode?

Like :

Configure Terminal

Interface fastherthernet0/10

switchport access vlan 2000

Thanks

Jorge

Jagdeep Gambhir · ‎09-05-2007

Jorge,

Concept remains same for config t aswell. I have attached the screen shot of authorization set.

I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.

In this way you can set it up as per your need.

Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).

All the best !

Regards,

~JG