Authorization Issue

Answered Question
Apr 29th, 2008
User Badges:

I've been trying to set up a read-only group that allows certain users to login at privilege level3 and issue several commands, i.e.; show run. The user group in the ACS is correct and here are the configure lines in the device:


aaa authorization config-commands

aaa authorization exec default group tacacs+ local none

aaa authorization commands 1 default group tacacs+ local if-authenticated

aaa authorization commands 3 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated


When a user with level priv 15 logs in authorization works fine. The debug messages show authorization requests going to the ACS and the appropriate responses are returned. However, when a level 3 users logs in, authorization for those commands that user has access to, show run fails. I noted that the device did not send any request to ACS.

Correct Answer by Jagdeep Gambhir about 8 years 11 months ago

Chuck,

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.


Note : Have priv 15 does not mean that user will able to issue all commands.


We will set up command authorization on acs to have control on users.


Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


Regards,

~JG


Do rate helpful posts



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Tue, 04/29/2008 - 06:19
User Badges:
  • Red, 2250 points or more

Chuck,

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.


Note : Have priv 15 does not mean that user will able to issue all commands.


We will set up command authorization on acs to have control on users.


Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


Regards,

~JG


Do rate helpful posts



Actions

This Discussion