Authorization

rich.polyak · ‎02-28-2007

Good afternoon, I have a strange issue. I'm configuring a Read-Only shell script to restrict showing of the configs. This seem to work fine on 35xx serise switches but not on RTR's or IOS based 65xx switches. The AAA settings are exactly the same eith either device.

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default enable none

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host x.x.x.x

tacacs-server key xxxxxx

tacacs-server directed-request.

The same shell script is working fine on restricting config commands, I'm just having issue in preventing show running-config or show startup-config.

My shell script is setup as follows.

Unmatched Commands = deny

show Permit Unmatched Args "checked"

show deny running-config

show deny startup-config

Or if I even went so for as to reverse it where I define all the commands allowed the same problem persits.

Any assistance whould be helpful.

Thx

-Rich

lmackie98 · ‎03-06-2007

Here is how I am denying commands on my ACS Server for Senior Admins:

Unmatched Commands: Permit

Unmatched Args "checked"

enable

deny password

deny secret

username

deny password

write

deny erase