Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
2
Replies

Granting level 7 user group access to specific level 15 commands

ccie16351
Level 1
Level 1

‎09-25-2007 04:31 PM - edited ‎03-10-2019 03:24 PM

Hi,

I just wonder if it is possible to configure ACS server to give users group who is having level 7 authorization commands the privilidge to do configuration change at the IOS routers managed by the tacacs, similar to the "privilidge level" commands applied at the routers but it would be centralized instead of visiting every router to apply the change.

Thanks

Sami

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎09-25-2007 04:45 PM

Sami,

Trick here is to give all user a priv 15 and then define command autho set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

This is what you need on IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Define user/group level command authorization

**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.

1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted

or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny

argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).

Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.

7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.

Regards,

~JG

0 Helpful

ccie16351
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-25-2007 05:02 PM

Thanks JG, your reply makes sense. I just need to lab it.

Sami

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents