Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
5
Helpful
8
Replies

PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

htaluja_2
Level 1
Level 1

‎06-08-2007 10:54 AM - edited ‎03-10-2019 03:12 PM

How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.

Labels:
0 Helpful
8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

‎06-08-2007 11:26 AM

Hi ,

If you are using TACACS ,

Bring users/groups in at level needed

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field

If you are using RADIUS,

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host X.X.X.X key XXXX

Following is the configuration required in the Radius Server

The AV pair in the ACS -->group setup--> IETF RADIUS Attributes

[006] Service-Type = Login

/* Following is for getting the user straight in privledge mode */ to set priv 15

The AV pair in Cisco IOS/PIX RADIUS Attributes

[009\001] cisco-av-pair = shell:priv-lvl=15

For more information on above commands, please refer to the following link :-

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec

ur_c/fsaaa/index.htm

Please try the above and let me know if this helps.

Thanks

0 Helpful

htaluja_2
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-08-2007 11:28 AM

Thanks! I'll try these and get back to you.

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to htaluja_2

‎06-08-2007 02:42 PM

Hi,

Make sure that you have,

aaa authorization exec default group radius....

or

aaa authorization exec default group tacacs....

or something similar EXEC authorization command in your configuration along with authentication.

Regards,

Prem

0 Helpful

htaluja_2
Level 1
Level 1
In response to Premdeep Banga

‎06-12-2007 09:17 AM

I did and it works. I just get the following message though:

AAA/Author: config command authorization not enabled

as soon as I enter it. Following is the list of commands I have on the Switch. This is a test switch for ACS. Let me know if anything is amiss.

____________________________________

aaa new-model

aaa authentication login NO_AUTH none

aaa authentication login RADIUS line

aaa authentication login LOC_AUTH group radius line

aaa authentication enable default enable

aaa authorization exec default group tacacs+

aaa accounting send stop-record authentication failure

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

_________________________

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to htaluja_2

‎06-12-2007 09:28 AM

Nice to know that.

Please add one more command

aaa authorization config-commands

It should fix it.

Regards,

Jagdeep

Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

0 Helpful

htaluja_2
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-12-2007 09:30 AM

I shall, just as soon as I find out what the command does? Please let me know.

0 Helpful

htaluja_2
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-12-2007 10:18 AM

A MAJOR problem. Upon executing the two commands:

aaa author exec def group tacacs+ none..I can no longer goto priv mode from my console connection. The workaround that I have created two sets of authorization execs:

aaa authorization exec NO_AUTH none

aaa authorization exec TAC_AUTH group tacacs+ none

Applied NO_AUTH to console

applied LOC_AUTH to vty.

Obviously, when you proposed the use of aaa authorization exec def group tacacs+, you did not intend the user to be unable to login to console port. So what would be the course in that case. In addition, is my solution 'best practices' or not.

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to htaluja_2

‎06-12-2007 03:31 PM

Hi,

Authorization is not enabled on console by default, and no matter which authorization method list you apply on console it wont take effect.

Untill you specify "aaa authorization console" command, its a hidden command.

Dont do it, as it will enable command authorization to be applied on console as well. If you want to keep console apart from command authorization, then dont specify the command. If you want console to work the way telnet/ssh does, then yes go for it.

As far as your issue goes,

you have "aaa authentication enable default enable"

Then you must be landing,

Switch>

Make sure that you have enable password configured on switch, and you are using the same enable password.

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents