03-16-2007 08:48 AM - edited 03-10-2019 03:02 PM
Hi,
I am trying to set up aaa on a switch with CSACS (version 4).
Authentication/Authorization works just fine but I am want to give users who are for e.g. assigned a privilege level of 5 to be to able to access the 'configure terminal' mode. However I unable to make it to work.
After I log in as a user who has a privilege level of 5 the following things dont seem to work:
1) I cannot allow the 'show run' command even though i have 'show permit running-config' defined on the CSACS
2) I cannot give access to the configure terminal mode even if I allow the configure permit terminal command under the GROUP--> shell command authorization.
The rest of the command authorization works as expected. All the other commands defined under shell authorization section works as normal.
Any input on this will be much appreciated.
Thanks,
Syed
This is my following aaa config:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login noacs none
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization exec noacs none
aaa authorization commands 0 default group tacacs+
aaa authorization commands 0 noacs none
aaa authorization commands 1 default group tacacs+
aaa authorization commands 1 noacs none
aaa authorization commands 5 default group tacacs+
aaa authorization commands 5 noacs none
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 noacs none
aaa authorization auth-proxy default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
no cns aaa enable
03-17-2007 07:41 AM
Hi Syed,
"Show run" and "conf t" are level 15 commands which a level 5 user cannot access. There are two things you can to :-
1. Reduce privilege of these command to 5 using :-
privilege exec level 5 configure terminal
privilege exec level 5 show running-configuration
OR
2. Give the user privilege level 15 and since there is a shell command authorization set on ACS, he will onyl be able to use commands listed in the set.
Regards,
Vivek
03-17-2007 11:59 AM
I thought we couldn't do
privilege exec level 5 show running-configuration
we have to do
privilege exec level 5 show startup-configuration
-Hoogen
03-17-2007 09:57 PM
Hi Vivek,
That fixed my issue!
I defined static mappings on the switch for privilege level 5 and it works now.
However I have one more questions:
Is there anyway we can define these mappings on the ACS?
Thanks,
Syed
03-19-2007 04:17 AM
Syed,
We cannot reduce privilege of commands using ACS. What we can do instead is let the user have level 15 access and using shell command authorization sets, control what he/she can do.
Regards,
Vivek
03-20-2007 02:03 PM
Hello there,
I have a problem that looks like this, I?m trying to configure ACS4.0 Shell command authorization sets to limit the command the certain user can exec on routers, I already did the command set to permit shut, no shut, configure, interface, and this command set has been asigned to the group and level 15 is already asigned to this group as well, the AAA cli bellow are configured on the routers but I cannot get the results that I expect, I mean to limit the command for this grup, actually I can do everthing.
aaa new-model
aaa authentication login acsmpls group tacacs+ local enable
aaa authentication login consola local enable
aaa authorization config-commands
aaa authorization exec acsmpls group tacacs+ local
aaa authorization exec consola local
aaa authorization commands 15 acsmpls group tacacs+ local
aaa authorization network acsmpls group tacacs+ local
aaa accounting exec acsmpls start-stop group tacacs+
aaa accounting commands 15 acsmpls stop-only group tacacs+
aaa accounting network acsmpls start-stop group tacacs+
I already check the ACS 4.0 user duide and follow every step to perform the Authorization Command Sets but still no working, I?ll apreciate your help.
Regards
Emilio
pleae anwer to the following e-mail: palma@desca.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: