Authorization Set Not Working Properly

Answered Question
Nov 10th, 2009

I'm trying to set up an authorization set to restrict users to certain commands. However, it seems like it works for some commands, but not for others.

In ENABLE mode, the auth set seems to work properly. However, once I get into CONFIG mode, it no longer works. I can run any command.

What am I missing that could be causing this?

Also, note that I have this auth set assigned to a group.

Thanks.

Jason

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 7 years 1 month ago

Expected behavior, since we have seleted none in the authorization set...that is = no access.

You need to make a new set for limited group allowing certain commmands.

Check this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 11/10/2009 - 08:23

It seems that you are missing this command,

aaa authorization config-command

Regards,

~JG

Do rate helpful posts

jason.williams@... Tue, 11/10/2009 - 08:43

That might be it, the command isn't there.

I'll try it and let you know if that was it.

Thanks.

Jason

jason.williams@... Tue, 11/10/2009 - 10:37

Adding

aaa authorization config-command

worked.

However, I've got another issue (I think).

Other groups have "none" selected for the auth sets. When I log in as a user in one of those groups, I get an access denied error when I enter ANY command.

The only way that I've been able to work around this is to set the group to use group based command sets and permit everything.

Is there something else that I missed or is this necessary?

Here are my current AAA settings:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization exec no_tacacs none

aaa authorization config-command

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Thanks.

Jason

Actions

This Discussion