Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
5
Helpful
5
Replies

aaa authorization problem

smhussain
Level 1
Level 1

‎03-16-2007 08:48 AM - edited ‎03-10-2019 03:02 PM

Hi,

I am trying to set up aaa on a switch with CSACS (version 4).

Authentication/Authorization works just fine but I am want to give users who are for e.g. assigned a privilege level of 5 to be to able to access the 'configure terminal' mode. However I unable to make it to work.

After I log in as a user who has a privilege level of 5 the following things dont seem to work:

1) I cannot allow the 'show run' command even though i have 'show permit running-config' defined on the CSACS

2) I cannot give access to the configure terminal mode even if I allow the configure permit terminal command under the GROUP--> shell command authorization.

The rest of the command authorization works as expected. All the other commands defined under shell authorization section works as normal.

Any input on this will be much appreciated.

Thanks,

Syed

This is my following aaa config:

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login noacs none

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization exec noacs none

aaa authorization commands 0 default group tacacs+

aaa authorization commands 0 noacs none

aaa authorization commands 1 default group tacacs+

aaa authorization commands 1 noacs none

aaa authorization commands 5 default group tacacs+

aaa authorization commands 5 noacs none

aaa authorization commands 15 default group tacacs+

aaa authorization commands 15 noacs none

aaa authorization auth-proxy default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa session-id common

no cns aaa enable

Labels:
0 Helpful
5 Replies 5

Vivek Santuka
Cisco Employee
Cisco Employee

‎03-17-2007 07:41 AM

Hi Syed,

"Show run" and "conf t" are level 15 commands which a level 5 user cannot access. There are two things you can to :-

1. Reduce privilege of these command to 5 using :-

privilege exec level 5 configure terminal

privilege exec level 5 show running-configuration

OR

2. Give the user privilege level 15 and since there is a shell command authorization set on ACS, he will onyl be able to use commands listed in the set.

Regards,

Vivek

hoogen_82
Level 4
Level 4
In response to Vivek Santuka

‎03-17-2007 11:59 AM

I thought we couldn't do

privilege exec level 5 show running-configuration

we have to do

privilege exec level 5 show startup-configuration

-Hoogen

0 Helpful

smhussain
Level 1
Level 1
In response to Vivek Santuka

‎03-17-2007 09:57 PM

Hi Vivek,

That fixed my issue!

I defined static mappings on the switch for privilege level 5 and it works now.

However I have one more questions:

Is there anyway we can define these mappings on the ACS?

Thanks,

Syed

0 Helpful

Vivek Santuka
Cisco Employee
Cisco Employee
In response to smhussain

‎03-19-2007 04:17 AM

Syed,

We cannot reduce privilege of commands using ACS. What we can do instead is let the user have level 15 access and using shell command authorization sets, control what he/she can do.

Regards,

Vivek

0 Helpful

jose.zarraga
Level 1
Level 1
In response to Vivek Santuka

‎03-20-2007 02:03 PM

Hello there,

I have a problem that looks like this, I?m trying to configure ACS4.0 Shell command authorization sets to limit the command the certain user can exec on routers, I already did the command set to permit shut, no shut, configure, interface, and this command set has been asigned to the group and level 15 is already asigned to this group as well, the AAA cli bellow are configured on the routers but I cannot get the results that I expect, I mean to limit the command for this grup, actually I can do everthing.

aaa new-model

aaa authentication login acsmpls group tacacs+ local enable

aaa authentication login consola local enable

aaa authorization config-commands

aaa authorization exec acsmpls group tacacs+ local

aaa authorization exec consola local

aaa authorization commands 15 acsmpls group tacacs+ local

aaa authorization network acsmpls group tacacs+ local

aaa accounting exec acsmpls start-stop group tacacs+

aaa accounting commands 15 acsmpls stop-only group tacacs+

aaa accounting network acsmpls start-stop group tacacs+

I already check the ACS 4.0 user duide and follow every step to perform the Authorization Command Sets but still no working, I?ll apreciate your help.

Regards

Emilio

pleae anwer to the following e-mail: palma@desca.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents