ACS command authorization

Unanswered Question
May 9th, 2008
User Badges:

i m not able to configure the command authorization. I obey the pattern that u send on the fourm, I did the same but still not getting user is able to do all the tasks.


i made a command authorization set as mentioned with show and deny it with unmatch argument.


because i want user only able to run show commands,


user have level 1 permission, it is also showing me in taccac administration that user have level 1 permission.


i did following configuration on cisco router for command authorization


aaa new-model

aaa authentication login default group tacacs+ local


aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization config-commands


so many times i assing the user level 1 privilagte in group setting but still it is showing me in tacacs administration with privilage level 15.







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Mon, 05/12/2008 - 05:36
User Badges:
  • Red, 2250 points or more

Hi Wasim,

If you are using command authorization then privilage doesn't matter.


Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.


Note : Having priv 15 does not mean that user will able to issue all commands.


We will set up command authorization on acs to have control on users.


This is how your config should look,


aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



Regards,

~JG

Do rate helpful posts

wasiimcisco Mon, 05/12/2008 - 12:18
User Badges:

Thanks for the reply, but unfortunately it is not working for me.


I have made a group 10, add a user in it. I have made a command set and recall it in shell command.


user has priv 15. but when I enter the above mention commands, i am not able to do anything,


i m getting following error


PDC-Srv-3750-2(config)#aaa authorization config-commands

% Authorization failed.


PDC-Srv-3750-2(config)#

PDC-Srv-3750-2(config)#aaa accounting commands 1 default start-stop group tacacs+

% Authorization failed.


even my current session is not allowing me to do anything.


new telnet session is also not accepting the username/password that is configured in ACS.

Jagdeep Gambhir Mon, 05/12/2008 - 13:15
User Badges:
  • Red, 2250 points or more

Wasim,

You need to make another shell command set that allows all commands.


Make a command set called admin and on the radio button clink PERMIT and hit submit/apply.


Now go to group you are part of and map newly created set.


It will now let you issue all commands.



Regards,

~JG



wasiimcisco Mon, 05/12/2008 - 13:39
User Badges:

Thanks for the guidline,


but still confuse, bcz I have three groups one with admin user that has access to all network devices and for them there is no command set on this group.


This device belongs to that group has command set that allows only show commands, but earlier this device not allowing anyone to connect except the user of this group and that usr only run show command.


Why this device not allowing admin to login, after i remove old show command set and made a new command set with all permit it let me allowing in.


I want admin group to access all devices and do all things and one group to access specific devices and can perform only specific task, but admin on these devices can do all admin task.


One thing more, please tell me i also want to authenticate user at the time of login and at the time of enable mode, right now user able to login in by giving local enable password, i wana also authenticate user enable password define on ACS.


how to define enabel password on ACS and how to configure enable authentication device.

wasiimcisco Mon, 05/12/2008 - 14:47
User Badges:

Everything is working fine for me, but I am not able to configure the enable mode authentication, I have set the ACS user password in Tacac+option tab.


and configure the device for enable mode authentication


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



But still after login user only able to enter in enable mode by giving locally configured password, not the password that configured in ACS.


Please help me out how to configure the device that both login and enable authentication controlled by ACS.



gabrielbryson Tue, 05/20/2008 - 09:41
User Badges:

HI JG

I also tried what you said and it works, however this is a nice work around to the problem of getting ACS to do cmd authorization at other lower cmd levels, surely we should be able to implement this at other levels, so when we do auditing it reports its real level. I create a cmd auth set apply it to a user who has level 15 access and it works well. I then change the users level to something lower using the same cmd set and it will not work??

Any ideas??

Actions

This Discussion