Read-only aaa statements

Unanswered Question
Mar 1st, 2007

I've setup the TACACS server with two groups

-FULL admin rights

-READ only rights

Two users have been created

-admin_test

-read_test

The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Fri, 03/02/2007 - 04:45

Privilege is not scalable in a big environment.

What you need is authorization on the ACS

server. In Cisco Freeware TACACS+ I defined

the following groups: readonly, advanced and

admin:

group = readonly {

default service = deny

cmd = show { deny .* }

cmd = show { permit .* }

cmd = copy { permit .* }

cmd = ping { permit .* }

cmd = enable { permit .* }

cmd = configure { deny .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = debug { permit .* }

}

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = interface { permit .* }

}

group = admin {

default service = permit

}

As you can see, admin can access everything,

readonly can only read. Advanced can make

limited changes and admin can do everything.

On the Cisco router, I have the following

configuration:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

I find that by doing it this way, it is much

more scalable than using privilege commands

on the router itself.

David

CCIE Security

Vivek Santuka Sat, 03/03/2007 - 07:23

Hi Echelo360,

The aaa config that you pasted does not have command authorization.

You need the 3 authorization commands from david's post.

Regards,

Vivek

Actions

This Discussion