we are having TACACS+ authentication with a Cisco ACS v3.3, and we are now trying to built some user's with specic rights. For example
- Assign ports to VLAN
- Change the description of a port
How can I set-it-up? do I need to define anything on switch side or is all in Cisco ACS?
Concept remains same for config t aswell. I have attached the screen shot of authorization set.
I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.
In this way you can set it up as per your need.
Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).
All the best !
jagdeep has given a wonderful explanation of the process.
you can also go through the attached doc which gives you some examples as well
This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
Set Based -
Console> (enable) set tacacs server [IP] [primary]
set tacacs key [key]
set tacacs attempts [number] (optional)
set localuser user [user] password [password] privilege 15
set authentication login local enable
set authentication login tacacs enable [all | console | http | telnet] [primary]
set authorization exec enable tacacs+ [deny | none] [console | telnet | both]
set authorization commands enable [config | all] tacacs+ [deny | none] [console |
telnet | both]
B. Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
C. Define user/group level command authorization
**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also
note that the router will complete commands like "config t" and send the completed command
to ACS so the complete command must be entered into the "Command:" field (i.e. configure)
and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.
1. Drop down to "Shell Command Authorization Set"
2. Place the radio button in "Per User/Group Command Authorization"
3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"
(This field determines that any command NOT specified in the "Command"
box below will be permitted or denied)
4. Place a check in the "Command:" box and specify the command to be permitted or
5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)
6. Place the radio button for "Unlisted Arguments" in either permit or deny.
(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).
Note that if you have no arguments specified, choosing "Permit" will permit the command
and choosing "Deny" will deny the command.
7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command
authorization set section will appear so you can repeat the process above with a new
command if necessary.