Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2315
Views
0
Helpful
2
Replies

problem - acs command authorization and web access control

gprever71
Level 1
Level 1

‎06-11-2007 05:27 AM - edited ‎03-10-2019 03:12 PM

Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎06-11-2007 06:15 AM

Hi,

It seems that you have fall back set as if-authenticated. You need to change it to local,

ap(config)#aaa authorization commands 15 default group tacacs+ local

Hope that helps.

Regards,

Jagdeep

Note : If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

0 Helpful

gprever71
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-11-2007 09:41 AM

It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config

and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:

configure

permit terminal

exit

permit Unmatched Args

interface

permit Dot11Radio0

no

permit shutdown

permit cca

ping

permit Unmatched Args

show

permit Unmatched Args

shutdown

permit Unmatched Args

telnet

permit Unmatched Args

write

permit memory quiet

Thanks for the help !

Preview file
5 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents