Filtering Priv 15 commands !

Answered Question
May 28th, 2009
User Badges:

hi all, can i filter priv 15 configuration commands using ACS 3.3 ?. Suppose i want

"interface tunnel" command to be filtered so that any of my user in priv 15 is not able to use this command !!


is this possible using acs 3.3 ?

Correct Answer by Jagdeep Gambhir about 8 years 1 month ago

Trick here is to give all user a priv 15 and then define command authorization set as per your need.


Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.



This is what you need on IOS device,


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field




Please see this link,


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml



Regards,

~JG


Do rate helpful posts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Fri, 05/29/2009 - 12:33
User Badges:
  • Red, 2250 points or more

Trick here is to give all user a priv 15 and then define command authorization set as per your need.


Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.



This is what you need on IOS device,


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field




Please see this link,


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml



Regards,

~JG


Do rate helpful posts


illusion_rox Mon, 06/01/2009 - 00:29
User Badges:

Dear Sir, can you tell me how to perform local authorization ? if i dont have an external server then how can use local authorization to restrict the usage of commands on per user basis ?


Kindly guide me in this

illusion_rox Tue, 06/02/2009 - 20:08
User Badges:

Dear JG, its so good to see you. thanks a lot for looking into this. Sir i know how to change the priv of any command. kindly look into my task pls


I want to assign a user priv 4.

I want him to run ONLY AND ONLY "show interfaces", restricting ALL OTHER COMMANDs, EACH AND EVERY COMMAND should be restricted. User in priv 4 should run only "show interfaces" and for exiting "exit" command. Thats it, no other commands should be available to him.


Sir kindly tell me is this possible ? can you provide me some sample configuration to achieve this task ?


NOte: i dont want to use any external server for this task. Just local authorization.

Jagdeep Gambhir Wed, 06/03/2009 - 07:05
User Badges:
  • Red, 2250 points or more

You need this command


privilege exec level 4 show interfaces


Then increase a priv lvl of rest of the commands with priv lvl 0 and 1


privilege level 0 - Includes the disable, enable, exit, help, and logout commands.

#


privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.


Regards,

~JG


Do rate helpful posts




Actions

This Discussion