AAA authentication and authorization question

Unanswered Question
Feb 5th, 2007

Hi Everyone,

I have a situation that is driving me crazy.

I am using Cisco Freeware TACACS running on RedHat

Enterprise Linux 3. I've modified the source code

so that I can assign each individual users his/her

own enable password. So far so good.

I create two groups: group_A and group_S. group_A

is for advanced users and group_S is for super

users. Users that belong to group_A can have

privilege level 15 but there are certain commands

that they can not perform such as "write mem"

or "reload". users that belong to group_S can do

EVERYTHING.

Here is my configuration on the TACACS configuration

file:

user = xyz {

member = admin

name = "User X"

login = des 6.z8oIm9UGHo

}

user = $xyz$ {

member = admin

name = "User X"

login = des c2bUC43cmsac.

}

user = abc {

member = advanced

name = "User abc"

login = cleartext "cisco123"

}

user = $abc$ {

member = advanced

name = "User abc"

login = cleartext "cisco123"

}

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

}

group = admin {

default service = permit

}

configuration of the router:

aaa new-model

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication login web local enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec TAC start-stop group tacacs+

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 TAC start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 TAC start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 10 TAC start-stop group tacacs+

aaa accounting commands 15 TAC start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa session-id common

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

However, what I would like to do is to assign users

in group_A the ability to go into "configuration t"

but I do NOT want them to have the ability to peform

"no tacacs-server host x.x.x.x key cisco". Furthermore,

I would like to do everything via TACACS, I don't

want configure "privilege level" on the router itself.

Is that possible? Thanks.

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Anonymous (not verified) Fri, 02/09/2007 - 10:09

Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

daviddtran Fri, 02/09/2007 - 19:15

You sound like a sale guy. I am not interested

in Cisco Secure ACS. I am using Freeware

TACACS and I would like to know how I can do

this with Freeware TACACS. Thanks.

David

Vivek Santuka Tue, 02/13/2007 - 07:39

Hi,

First you will need "aaa authorization config-commands" on the device.

Next you will have to setup group_a to permit everything except deny "write mem", "tacacs-server" etc.

HTH

Regards,

Vivek

daviddtran Wed, 02/14/2007 - 10:14

Hi Vivek,

your provided worked wonderfully. It works very well with my Freeware TACACS+. Check this

out:

CiscoIOS#conf t

Enter configuration commands, one per line. End with CNTL/Z.

CisciIOS(config)#int lo0

Command authorization failed.

^

% Invalid input detected at '^' marker.

CiscoIOS(config)#no tacacs-server host 192.168.15.101 key cisco

Command authorization failed.

% Incomplete command.

CiscoIOS(config)#

Thanks again.

edi_nabil Tue, 04/03/2007 - 08:18

Hi David,

I have some questions about authorization commands set using in CS ACS.

I want to control many line commands in global configuration mode such as aaa, username, crypto. ACS don't permit this with authorization commands set. do you know how i can control these commands

thanks

Actions

This Discussion