How to enable "Shell Command Authorization Sets"

Answered Question
Jul 18th, 2007

Hi there

I use aaa over tacacs to verfiy user from ms active directory.

I configured a new "Shell Command Authorization Set" see the attachment for details.

But this does not work. So I just want to test whether the use of a command is working or not.

You can see in the attached file I tried something with "show" command.

But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.

Why does this not work?

Thanx for help

bb

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 9 years 6 months ago

BB,

Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

Pls rate if that helps

Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
Jagdeep Gambhir Wed, 07/18/2007 - 08:06

Hi BB,

This is what you need on IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Rest all seems to be ok.

~JG

Please rate if that helps

bigbrother74 Thu, 07/19/2007 - 01:26

@ jgambhir

Thanx for answer :-)

Your response is working.

But I want to gonfigure it different than you. You did "aaa authorization commands 15" I will do it with "aaa authorization commands 5".

For example:

aaa authorization commands 5 default group tacacs+ if-authenticated

aaa authorization config-commands

In the ACS I want to configure that the users from the group (TACACS+ Settings -> Privilege level = 5)

are able to execute the command "configure terminal" or "show running-config" and so far...

How do I configure this???

Thanx for help

bb

Correct Answer
Jagdeep Gambhir Thu, 07/19/2007 - 14:52

BB,

Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

Pls rate if that helps

Regards,

~JG

raycourtney Thu, 07/19/2007 - 08:00

Hi

I have this same problem, trying to allocate a list of commands that i want junior techs to be able to execute. I have given them all level 7 privilege and listed commands on ACS Shell Exec settings but it does not work.

I want to avoid having to enter:

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal

etc etc on 300 switches.

any idea how to do this?

Jagdeep Gambhir Thu, 07/19/2007 - 14:56

Ray,

First of all you don't need these commands with acs, so take off these commands,

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal

Configure acs and aaa client as described above in this thread.

Let me know how that goes.

Regards,

Pls rate helpful posts

bigbrother74 Thu, 07/19/2007 - 23:24

@ jgambhir

You wrote me to set each acs group with privilege level 15 and then add command set.

This work for me now. But how can I hide some output for helpsek users such as "aaa configs" and other stuff when they run the command "sh run"???

Does it give a possibility to configure such things???

Thanx for help :-)

bb

mattiaseriksson Fri, 07/20/2007 - 00:07

Yes, use command sets to deny access to some commands, or grant access if you so not want to give access to the majority of the commands. When you execute show running-config the users will only see what they are able to configure, so if you don't want them to see aaa commands, simply deny those commands in the command set.

bigbrother74 Fri, 07/20/2007 - 02:14

@ mattiaseriksson

You say this very easy but if I deny for example "aaa" then I still able to see under "show ?" the aaa opportiunity and I also can run "show aaa servers" command.

I probably don't know how to do the deny rule???

But the permit thing works...???

Quite confusing

bb

mattiaseriksson Fri, 07/20/2007 - 02:38

You can deny 'show aaa servers' and other commands like this:

Command: show

Argument: deny aaa *

Unlisted arguments: permit

Unmathced Cisco IOS commands: permit

Jagdeep Gambhir Fri, 07/20/2007 - 05:27

BB,

Actually using command authorization you can permit or deny any command but there is no way to control the output displayed for a specific command.

eg : When you allow show run, user will get full output instead of limited output.

This feature is availble if you do local authorization on the router/switch.

Hope that helps !

Regards,

~JG

raycourtney Tue, 07/24/2007 - 01:57

Hi,

Sorry about the delay, i've been out for a few days...

This sort of works for me now. But it only allows any user to do anything if they are explicitly allocated a command auth set in ACS. so my main admin like myself cannot use ANY commands unless we are given a command set to use.

is there a way around this with certain

aaa new-model commands? i currently use:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

mattiaseriksson Tue, 07/24/2007 - 02:09

The normal case is that you would have an admin group with an associated command set that has default command permit, and all other groups have limited command sets. So yes, you have to assign a command set if you use command authorization.

The other way to do it would be to define privilege levels, but then you would have to configure this on all of the devices.

raycourtney Tue, 07/24/2007 - 04:05

OK, thanks Matthias. i think it all works ok now.

Will this also work for console access or any situations where it loses conact with the Tacacs server?

thanks again.

Ray

mattiaseriksson Tue, 07/24/2007 - 04:17

Yes, the "default" method you use apply to the console line as well, if you have not overruled that in the config.

And if the tacacs server is unavailable it will use the local database for authentication and autorize everything by default (if-authenticated).

Jagdeep Gambhir Tue, 07/24/2007 - 04:55

Hi Ray,

Other way around is to make one more command authorization set with radio button set to PERMIT.

Bind it with Admin group in ACS , now all admin user should be able to execute all commands.

Kindly rate helpful posts.

Regards,

~JG

Actions

This Discussion