problem - acs command authorization and web access control

Unanswered Question
Jun 11th, 2007

Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Mon, 06/11/2007 - 06:15

Hi,

It seems that you have fall back set as if-authenticated. You need to change it to local,

ap(config)#aaa authorization commands 15 default group tacacs+ local

Hope that helps.

Regards,

Jagdeep

Note : If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

gprever71 Mon, 06/11/2007 - 09:41

It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config

and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:

configure

permit terminal

exit

permit Unmatched Args

interface

permit Dot11Radio0

no

permit shutdown

permit cca

ping

permit Unmatched Args

show

permit Unmatched Args

shutdown

permit Unmatched Args

telnet

permit Unmatched Args

write

permit memory quiet

Thanks for the help !

Attachment: 

Actions

This Discussion