Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1135
Views
38
Helpful
10
Replies

How to assign authorization commands to vty or interface?

VaughanTK
Level 1
Level 1

‎10-11-2007 04:13 PM - edited ‎03-10-2019 03:26 PM

Attempting to set up multiple group by command permissions.

I have created the Shell Cmd Auth Set and assigned a group to that Set.

On my switch I have following cmds

Aaa new-model

Aaa authentication login default group tacacs+ local

Aaa authorization config-commands

Aaa authorization exec default group tacacs+ local

Aaa authorization commands 1 default group tacacs+ if-authenticated

Now from what I understand I need to Enter the line configuration mode for the lines to which I want to apply the authorization method list.

How is this done?

Thanks

Labels:
0 Helpful
10 Replies 10

Jagdeep Gambhir
Level 10
Level 10

‎10-11-2007 04:22 PM

Nothing is reqd on line config. Since you have used word " default ", all aaa commands will be effective for telnet , http ,console etc.

So if you have made command author set in acs and have also binded it with usergroup , you are all set, good to go.

Regards,

~JG

Please rate helpful posts

VaughanTK
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-11-2007 04:29 PM

within my Cmd Auth set I have denied configure and when I test I still am able to issue the configure cmd.

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to VaughanTK

‎10-11-2007 04:32 PM

this is because you have only configured authorization for level 1 commands not level 15.

conf t is a level 15 command

add, aaa authorization commands 15 default....

Regards,

Prem

spanglenuts
Level 1
Level 1
In response to Premdeep Banga

‎10-12-2007 03:54 AM

I'm work with vaughantk...

I added the command "aaa authorization commands 15 default group tacacs+ if-authenticated" and took out the "aaa authorization commands 1 default group tacacs+ if-authenticated"

It appears to be working correctly now, but...

Can we just have the "aaa authorization commands 15 default.." and then deny everything we don't want? Or do we need "aaa authorization commands 1 default.." and so on for each privilege level we have?

Thank you for the help!

-Andrew

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to spanglenuts

‎10-12-2007 03:58 AM

all the major commands are at level 15 by default. So monitoring 15 should solve your purpose.

You can also refer to,

Building a Scalable TACACS+ Device Management Framework:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml

Command authorization for other levels are only required, if you have manually moved some commands to different level, and want to them to be allowed by Tacacs server first before they are allowed to be executed.

Regards,

Prem

VaughanTK
Level 1
Level 1
In response to Premdeep Banga

‎10-12-2007 04:42 AM

Prem,

That seemed to have done the trick.

Thank you

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to VaughanTK

‎10-13-2007 09:43 AM

Please mark this thread as resolved, so that others can benefit from it.

Regards,

Prem

spanglenuts
Level 1
Level 1
In response to Premdeep Banga

‎10-13-2007 11:17 PM

Thanks for all the help Prem...one last thing for this thread.

So we now have in our config...

Aaa new-model

Aaa authentication login default group tacacs+ local

Aaa authorization config-commands

Aaa authorization exec default group tacacs+ local

Aaa authorization commands 15 default group tacacs+ if-authenticated

After we add the 3rd and 5th line to the configuration, we are instantly denied almost all commands. I'm assuming because it is checking with tacacs everytime a command is sent, and the group we are currently in is not one of the new groups with a command authorization set. Is there something we can add so that the old(current) groups will still work if their command authorization sets are not created yet, or is this an all or nothing deal? We would like to be able to create command authorizations sets for one group at a time, and the old/current groups still work.

Thanks for the help!

-Andrew

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to spanglenuts

‎10-14-2007 10:48 AM

Hi Andrew,

As you said that you do not want other groups to be affected. Then for the mean while what you can do is, on all groups under which you have users, whom you don?t want to get affected.

Go to Group Setup > Edit Settings > check "Per Group Command Authorization" and check "Permit" > Submit + Restart.

And once you have configured the commands set, that you want this group should be allowed, select the appropriate one.

This is the only option, because, as soon as you apply the above mentioned commands, as you said, level 15 commands gets verified against the ACS server for authorization.

Regards,

Prem

spanglenuts
Level 1
Level 1
In response to Premdeep Banga

‎10-14-2007 11:37 AM

Thanks Prem! You have been a ton of help.

Do you have any suggestions for where to find information on doing the same thing(Command Set Authorization) for Juniper Routers using Tacacs or Radius?

Thanks again,

Andrew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents