How to enable "Shell Command Authorization Sets"

Answered Question
Jul 18th, 2007
User Badges:

Hi there


I use aaa over tacacs to verfiy user from ms active directory.


I configured a new "Shell Command Authorization Set" see the attachment for details.


But this does not work. So I just want to test whether the use of a command is working or not.


You can see in the attached file I tried something with "show" command.


But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.


Why does this not work?


Thanx for help


bb



Attachment: 
Correct Answer by Jagdeep Gambhir about 9 years 10 months ago

BB,

Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.


Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.


Pls rate if that helps


Regards,

~JG




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
Jagdeep Gambhir Wed, 07/18/2007 - 08:06
User Badges:
  • Red, 2250 points or more

Hi BB,

This is what you need on IOS device,


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field



Rest all seems to be ok.


~JG


Please rate if that helps


bigbrother74 Thu, 07/19/2007 - 01:26
User Badges:

@ jgambhir


Thanx for answer :-)


Your response is working.

But I want to gonfigure it different than you. You did "aaa authorization commands 15" I will do it with "aaa authorization commands 5".


For example:


aaa authorization commands 5 default group tacacs+ if-authenticated

aaa authorization config-commands



In the ACS I want to configure that the users from the group (TACACS+ Settings -> Privilege level = 5)

are able to execute the command "configure terminal" or "show running-config" and so far...


How do I configure this???


Thanx for help


bb

Correct Answer
Jagdeep Gambhir Thu, 07/19/2007 - 14:52
User Badges:
  • Red, 2250 points or more

BB,

Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.


Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.


Pls rate if that helps


Regards,

~JG




raycourtney Thu, 07/19/2007 - 08:00
User Badges:

Hi

I have this same problem, trying to allocate a list of commands that i want junior techs to be able to execute. I have given them all level 7 privilege and listed commands on ACS Shell Exec settings but it does not work.


I want to avoid having to enter:

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal


etc etc on 300 switches.


any idea how to do this?

Jagdeep Gambhir Thu, 07/19/2007 - 14:56
User Badges:
  • Red, 2250 points or more

Ray,

First of all you don't need these commands with acs, so take off these commands,


privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal



Configure acs and aaa client as described above in this thread.


Let me know how that goes.


Regards,


Pls rate helpful posts



bigbrother74 Thu, 07/19/2007 - 23:24
User Badges:

@ jgambhir


You wrote me to set each acs group with privilege level 15 and then add command set.


This work for me now. But how can I hide some output for helpsek users such as "aaa configs" and other stuff when they run the command "sh run"???


Does it give a possibility to configure such things???


Thanx for help :-)


bb

mattiaseriksson Fri, 07/20/2007 - 00:07
User Badges:
  • Bronze, 100 points or more

Yes, use command sets to deny access to some commands, or grant access if you so not want to give access to the majority of the commands. When you execute show running-config the users will only see what they are able to configure, so if you don't want them to see aaa commands, simply deny those commands in the command set.

bigbrother74 Fri, 07/20/2007 - 02:14
User Badges:

@ mattiaseriksson


You say this very easy but if I deny for example "aaa" then I still able to see under "show ?" the aaa opportiunity and I also can run "show aaa servers" command.


I probably don't know how to do the deny rule???


But the permit thing works...???


Quite confusing


bb

mattiaseriksson Fri, 07/20/2007 - 02:38
User Badges:
  • Bronze, 100 points or more

You can deny 'show aaa servers' and other commands like this:


Command: show

Argument: deny aaa *

Unlisted arguments: permit


Unmathced Cisco IOS commands: permit


Jagdeep Gambhir Fri, 07/20/2007 - 05:27
User Badges:
  • Red, 2250 points or more

BB,

Actually using command authorization you can permit or deny any command but there is no way to control the output displayed for a specific command.


eg : When you allow show run, user will get full output instead of limited output.


This feature is availble if you do local authorization on the router/switch.



Hope that helps !


Regards,

~JG



raycourtney Tue, 07/24/2007 - 01:57
User Badges:

Hi,

Sorry about the delay, i've been out for a few days...

This sort of works for me now. But it only allows any user to do anything if they are explicitly allocated a command auth set in ACS. so my main admin like myself cannot use ANY commands unless we are given a command set to use.


is there a way around this with certain

aaa new-model commands? i currently use:


aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

mattiaseriksson Tue, 07/24/2007 - 02:09
User Badges:
  • Bronze, 100 points or more

The normal case is that you would have an admin group with an associated command set that has default command permit, and all other groups have limited command sets. So yes, you have to assign a command set if you use command authorization.


The other way to do it would be to define privilege levels, but then you would have to configure this on all of the devices.

raycourtney Tue, 07/24/2007 - 04:05
User Badges:

OK, thanks Matthias. i think it all works ok now.


Will this also work for console access or any situations where it loses conact with the Tacacs server?


thanks again.


Ray

mattiaseriksson Tue, 07/24/2007 - 04:17
User Badges:
  • Bronze, 100 points or more

Yes, the "default" method you use apply to the console line as well, if you have not overruled that in the config.


And if the tacacs server is unavailable it will use the local database for authentication and autorize everything by default (if-authenticated).

Jagdeep Gambhir Tue, 07/24/2007 - 04:55
User Badges:
  • Red, 2250 points or more

Hi Ray,

Other way around is to make one more command authorization set with radio button set to PERMIT.


Bind it with Admin group in ACS , now all admin user should be able to execute all commands.


Kindly rate helpful posts.


Regards,

~JG





Actions

This Discussion