Specific rights to a Switch

Answered Question
Sep 3rd, 2007
User Badges:

Hi,

we are having TACACS+ authentication with a Cisco ACS v3.3, and we are now trying to built some user's with specic rights. For example

- Assign ports to VLAN

- Change the description of a port


How can I set-it-up? do I need to define anything on switch side or is all in Cisco ACS?


Jorge

Correct Answer by Jagdeep Gambhir about 9 years 8 months ago

Jorge,

Concept remains same for config t aswell. I have attached the screen shot of authorization set.


I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.


In this way you can set it up as per your need.


Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).


All the best !



Regards,

~JG



Correct Answer by royalblues about 9 years 8 months ago

jagdeep has given a wonderful explanation of the process.


you can also go through the attached doc which gives you some examples as well


HTH

Narayan



Correct Answer by Jagdeep Gambhir about 9 years 8 months ago

Hi,

This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:


IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


Set Based -


Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |

telnet | both]


B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field


C. Define user/group level command authorization


**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.


1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).


Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.


7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.


Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Edison Ortiz Mon, 09/03/2007 - 18:03
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

rajatsetia Mon, 09/03/2007 - 20:50
User Badges:
  • Bronze, 100 points or more

Hi,


You can also use shell authorization command set to define the particular commands that a user/user group can execute for a particular Device/ Network Device Group (if defined).


You must have received the documentation CDs with ACS package which is sufficient to explain the configuration part.


HTH


rgds

Correct Answer
Jagdeep Gambhir Tue, 09/04/2007 - 06:26
User Badges:
  • Red, 2250 points or more

Hi,

This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:


IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


Set Based -


Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |

telnet | both]


B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field


C. Define user/group level command authorization


**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.


1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).


Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.


7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.


Regards,

~JG

Correct Answer
royalblues Tue, 09/04/2007 - 07:56
User Badges:
  • Green, 3000 points or more

jagdeep has given a wonderful explanation of the process.


you can also go through the attached doc which gives you some examples as well


HTH

Narayan



jorge.s Wed, 09/05/2007 - 00:41
User Badges:

This has been a great explanation!!! Thanks.


But what about if I want to allow only some configurations in Configure Terminal mode?


Like :


Configure Terminal

Interface fastherthernet0/10

switchport access vlan 2000


Thanks

Jorge

Correct Answer
Jagdeep Gambhir Wed, 09/05/2007 - 04:35
User Badges:
  • Red, 2250 points or more

Jorge,

Concept remains same for config t aswell. I have attached the screen shot of authorization set.


I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.


In this way you can set it up as per your need.


Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).


All the best !



Regards,

~JG



Attachment: 

Actions

This Discussion