PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

Unanswered Question
Jun 8th, 2007
User Badges:

How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Fri, 06/08/2007 - 11:26
User Badges:
  • Red, 2250 points or more

Hi ,

If you are using TACACS ,


Bring users/groups in at level needed

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field



If you are using RADIUS,


aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local


radius-server host X.X.X.X key XXXX


Following is the configuration required in the Radius Server


The AV pair in the ACS -->group setup--> IETF RADIUS Attributes

[006] Service-Type = Login


/* Following is for getting the user straight in privledge mode */ to set priv 15


The AV pair in Cisco IOS/PIX RADIUS Attributes

[009\001] cisco-av-pair = shell:priv-lvl=15


For more information on above commands, please refer to the following link :-



http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec

ur_c/fsaaa/index.htm



Please try the above and let me know if this helps.


Thanks

Premdeep Banga Fri, 06/08/2007 - 14:42
User Badges:
  • Gold, 750 points or more

Hi,


Make sure that you have,


aaa authorization exec default group radius....

or

aaa authorization exec default group tacacs....


or something similar EXEC authorization command in your configuration along with authentication.


Regards,

Prem

htaluja_2 Tue, 06/12/2007 - 09:17
User Badges:

I did and it works. I just get the following message though:

AAA/Author: config command authorization not enabled


as soon as I enter it. Following is the list of commands I have on the Switch. This is a test switch for ACS. Let me know if anything is amiss.

____________________________________

aaa new-model

aaa authentication login NO_AUTH none

aaa authentication login RADIUS line

aaa authentication login LOC_AUTH group radius line

aaa authentication enable default enable

aaa authorization exec default group tacacs+

aaa accounting send stop-record authentication failure

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

_________________________

Jagdeep Gambhir Tue, 06/12/2007 - 09:28
User Badges:
  • Red, 2250 points or more

Nice to know that.


Please add one more command


aaa authorization config-commands


It should fix it.


Regards,

Jagdeep


Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.





htaluja_2 Tue, 06/12/2007 - 09:30
User Badges:

I shall, just as soon as I find out what the command does? Please let me know.



htaluja_2 Tue, 06/12/2007 - 10:18
User Badges:

A MAJOR problem. Upon executing the two commands:

aaa author exec def group tacacs+ none..I can no longer goto priv mode from my console connection. The workaround that I have created two sets of authorization execs:

aaa authorization exec NO_AUTH none

aaa authorization exec TAC_AUTH group tacacs+ none

Applied NO_AUTH to console

applied LOC_AUTH to vty.


Obviously, when you proposed the use of aaa authorization exec def group tacacs+, you did not intend the user to be unable to login to console port. So what would be the course in that case. In addition, is my solution 'best practices' or not.

Premdeep Banga Tue, 06/12/2007 - 15:31
User Badges:
  • Gold, 750 points or more

Hi,


Authorization is not enabled on console by default, and no matter which authorization method list you apply on console it wont take effect.


Untill you specify "aaa authorization console" command, its a hidden command.


Dont do it, as it will enable command authorization to be applied on console as well. If you want to keep console apart from command authorization, then dont specify the command. If you want console to work the way telnet/ssh does, then yes go for it.


As far as your issue goes,


you have "aaa authentication enable default enable"


Then you must be landing,


Switch>


Make sure that you have enable password configured on switch, and you are using the same enable password.


Regards,

Prem

Actions

This Discussion