AAA with CatOS and ACS (shell command autorization set)

Unanswered Question
Nov 14th, 2007

Hi,

I have an ACS that authenticates and authorizes IOS devices.

I use "shell command autorization set" to authorize some commands for some groups.

Is it possible to do so with CatOS?

For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?

Regards,

ROMS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 11/14/2007 - 14:32

Roms,

Concept remains the same for IOS and CAT OS. You need to define command author set for cat os.

Regards,

~JG

rdubo Thu, 11/15/2007 - 04:20

Hi,

Ok, and what should be the configuraio of the switches. I see there is few available command for CatOS...

Regards

somishra Thu, 11/15/2007 - 04:58

Hi,

The following command is reqd to enable command authorization on set-based switch:

set authorization commands enable [config | all] tacacs+ [deny | none] [console | telnet | both]

tnx

somishra

Jagdeep Gambhir Thu, 11/15/2007 - 06:02

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]

regards,

~JG

Jagdeep Gambhir Thu, 11/15/2007 - 06:10

Here is the sample screen shot. Also note that CAT OS do not support local AAA fallback until version 7.5 when the 'set localuser' command was introduced.

Regards,

~JG

Do rate helpful posts

Attachment: 

Actions

This Discussion