AAA with CatOS and ACS (shell command autorization set)

Unanswered Question
Nov 14th, 2007
User Badges:

Hi,


I have an ACS that authenticates and authorizes IOS devices.

I use "shell command autorization set" to authorize some commands for some groups.


Is it possible to do so with CatOS?

For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?


Regards,

ROMS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 11/14/2007 - 14:32
User Badges:
  • Red, 2250 points or more

Roms,

Concept remains the same for IOS and CAT OS. You need to define command author set for cat os.



Regards,

~JG

rdubo Thu, 11/15/2007 - 04:20
User Badges:

Hi,


Ok, and what should be the configuraio of the switches. I see there is few available command for CatOS...

Regards

somishra Thu, 11/15/2007 - 04:58
User Badges:
  • Cisco Employee,

Hi,


The following command is reqd to enable command authorization on set-based switch:


set authorization commands enable [config | all] tacacs+ [deny | none] [console | telnet | both]


tnx

somishra

Jagdeep Gambhir Thu, 11/15/2007 - 06:02
User Badges:
  • Red, 2250 points or more

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]



regards,

~JG

Jagdeep Gambhir Thu, 11/15/2007 - 06:10
User Badges:
  • Red, 2250 points or more

Here is the sample screen shot. Also note that CAT OS do not support local AAA fallback until version 7.5 when the 'set localuser' command was introduced.


Regards,

~JG


Do rate helpful posts



Attachment: 

Actions

This Discussion