Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
10
Helpful
4
Replies

AAA Authorization design

Go to solution
mbonner
Level 1
Level 1

‎07-23-2008 06:09 PM - edited ‎03-10-2019 03:59 PM

I'm configuring several switches and routers for TACACS with ACS SE. I have a need to do three levels of access, the groups are as follows:

1. Normal read-only access.

2. Full access with the exception of config t.

3. Full access.

What would be the best way to achieve this goal, I can see that if I create Shell Command Authorization sets on the ACS, I can configure one for group 1 and one for group 3. But will I be able to for Group 2? Is there a way to allow all, but explicitly block one command? Following this page: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml leads me to believe that the capability may exist, but I have no way to confirm at the moment.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Jagdeep Gambhir

‎07-24-2008 05:45 AM

Please see the attachment.

After the implementation user will be able to do every thing except config t.

Regards,

~JG

Do rate helpful post

View solution in original post

Preview file
99 KB
0 Helpful
4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-24-2008 04:46 AM

With command authorization you can control every single command that you want user should be allowed. It covers all mode, enable , user and config mode.

I will post the screen shot shortly.

Regards,

~JG

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Jagdeep Gambhir

‎07-24-2008 05:45 AM

Please see the attachment.

After the implementation user will be able to do every thing except config t.

Regards,

~JG

Do rate helpful post

Preview file
99 KB
0 Helpful

Go to solution
mbonner
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-24-2008 08:49 AM

Quick follow-up question, what configuration is required on the switch/router for that functionality?

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to mbonner

‎07-24-2008 09:15 AM

Here are the config required for setting up aaa authentication and authorization.

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

All the best !

Regards,

~JG

Customers Also Viewed These Support Documents