07-18-2007 06:09 AM - edited 03-09-2019 06:25 PM
Hi there
I use aaa over tacacs to verfiy user from ms active directory.
I configured a new "Shell Command Authorization Set" see the attachment for details.
But this does not work. So I just want to test whether the use of a command is working or not.
You can see in the attached file I tried something with "show" command.
But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.
Why does this not work?
Thanx for help
bb
Solved! Go to Solution.
07-19-2007 02:52 PM
BB,
Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.
Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.
Pls rate if that helps
Regards,
~JG
07-18-2007 08:06 AM
Hi BB,
This is what you need on IOS device,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
On acs bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Rest all seems to be ok.
~JG
Please rate if that helps
07-19-2007 01:26 AM
@ jgambhir
Thanx for answer :-)
Your response is working.
But I want to gonfigure it different than you. You did "aaa authorization commands 15" I will do it with "aaa authorization commands 5".
For example:
aaa authorization commands 5 default group tacacs+ if-authenticated
aaa authorization config-commands
In the ACS I want to configure that the users from the group (TACACS+ Settings -> Privilege level = 5)
are able to execute the command "configure terminal" or "show running-config" and so far...
How do I configure this???
Thanx for help
bb
07-19-2007 02:52 PM
BB,
Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.
Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.
Pls rate if that helps
Regards,
~JG
07-19-2007 08:00 AM
Hi
I have this same problem, trying to allocate a list of commands that i want junior techs to be able to execute. I have given them all level 7 privilege and listed commands on ACS Shell Exec settings but it does not work.
I want to avoid having to enter:
privilege exec level 7 show run
privilege exec level 7 ping
privilege exec level 7 configure terminal
etc etc on 300 switches.
any idea how to do this?
07-19-2007 02:56 PM
Ray,
First of all you don't need these commands with acs, so take off these commands,
privilege exec level 7 show run
privilege exec level 7 ping
privilege exec level 7 configure terminal
Configure acs and aaa client as described above in this thread.
Let me know how that goes.
Regards,
Pls rate helpful posts
07-19-2007 11:24 PM
@ jgambhir
You wrote me to set each acs group with privilege level 15 and then add command set.
This work for me now. But how can I hide some output for helpsek users such as "aaa configs" and other stuff when they run the command "sh run"???
Does it give a possibility to configure such things???
Thanx for help :-)
bb
07-20-2007 12:07 AM
Yes, use command sets to deny access to some commands, or grant access if you so not want to give access to the majority of the commands. When you execute show running-config the users will only see what they are able to configure, so if you don't want them to see aaa commands, simply deny those commands in the command set.
07-20-2007 02:14 AM
@ mattiaseriksson
You say this very easy but if I deny for example "aaa" then I still able to see under "show ?" the aaa opportiunity and I also can run "show aaa servers" command.
I probably don't know how to do the deny rule???
But the permit thing works...???
Quite confusing
bb
07-20-2007 02:38 AM
You can deny 'show aaa servers' and other commands like this:
Command: show
Argument: deny aaa *
Unlisted arguments: permit
Unmathced Cisco IOS commands: permit
07-20-2007 05:27 AM
BB,
Actually using command authorization you can permit or deny any command but there is no way to control the output displayed for a specific command.
eg : When you allow show run, user will get full output instead of limited output.
This feature is availble if you do local authorization on the router/switch.
Hope that helps !
Regards,
~JG
07-24-2007 01:57 AM
Hi,
Sorry about the delay, i've been out for a few days...
This sort of works for me now. But it only allows any user to do anything if they are explicitly allocated a command auth set in ACS. so my main admin like myself cannot use ANY commands unless we are given a command set to use.
is there a way around this with certain
aaa new-model commands? i currently use:
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
07-24-2007 02:09 AM
The normal case is that you would have an admin group with an associated command set that has default command permit, and all other groups have limited command sets. So yes, you have to assign a command set if you use command authorization.
The other way to do it would be to define privilege levels, but then you would have to configure this on all of the devices.
07-24-2007 04:05 AM
OK, thanks Matthias. i think it all works ok now.
Will this also work for console access or any situations where it loses conact with the Tacacs server?
thanks again.
Ray
07-24-2007 04:17 AM
Yes, the "default" method you use apply to the console line as well, if you have not overruled that in the config.
And if the tacacs server is unavailable it will use the local database for authentication and autorize everything by default (if-authenticated).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: