AAA command authorization

Unanswered Question
Feb 26th, 2007

Hi everyone,

can someone tell me how to i configure a router() and the ACS 4.1 to only permit some commnads for some users. To be more specific i want to know how will i configure it to let some users issue just the "shutdown" and "no shutdown" commands on interfaces?

I already configured the ACS and the router not to allow some users issue the "configure" commnand and it works, but this "shut, no shut" thing is more tricky...

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Mon, 02/26/2007 - 08:41

I am not an expert with Cisco ACS 4.1 (even

though I have one running the production

environment). I have love-hate relationship

with windows so I am afraid to use it for

my production environment. I am much more

familiar with Cisco Freeware TACACS+.

This is what I have in my TACACS+ config:

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = interface { permit .* }

}

user = adv {

member = advanced

name = "Advanced User"

login = cleartext "adv123"

# login = des DJVS9kfrcLbus

}

user = $adv$ {

member = advanced

name = "Advanced User"

login = cleartext "adv1234"

# login = des W/3UA7J1cz3sQ

}

Check this out when I log into the router:

Juniper>en

Password:

Juniper#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Juniper(config)#int lo0

Juniper(config-if)#shut

Command authorization failed.

% Incomplete command.

Juniper(config-if)#no shut

Command authorization failed.

% Incomplete command.

Juniper(config-if)#exit

Juniper(config)#exit

Juniper#

David

costin.vilcu Mon, 02/26/2007 - 09:05

Thank you David,

it works indeed, but id doesn't solve my issue;

you didn't tell me neither how to do the aaa authorization on routers for this case neither how to configure the ACS and i don't know how to match the Freeware Tacacs commands in ACS.

But thank you again

daviddtran Mon, 02/26/2007 - 10:15

hi,

On the Cisc0 router, the configuration is

quite simple. I will look into ACS and find

out how to do this. I guess I have to learn

how to use ACS eventually.

Below is the configuration on the router:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

tacacs-server host 192.168.15.10 key 7 1446405858517C

tacacs-server directed-request

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

login authentication notac

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

costin.vilcu Mon, 02/26/2007 - 13:37

Thank you, David. So that is the router part, i did it almost like you, but i didn't know that i should put all 0,1 and 15 level authorization comands, i only put "aaa authorization commands 15 default group tacacs+ if-authenticated none".

And another question if you don't mind, what is the use of the "aaa authorization config-commands" command?

thanks

daviddtran Mon, 02/26/2007 - 14:14

aaa authorization config-commands

This command allows you to give users comand

inside the config mode but not allowing them

from doing specific things such as "int lo0, no shut".

David

Actions

This Discussion