cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
0
Helpful
4
Replies

Authorization Set Not Working Properly

jason.williams
Level 1
Level 1

I'm trying to set up an authorization set to restrict users to certain commands. However, it seems like it works for some commands, but not for others.

In ENABLE mode, the auth set seems to work properly. However, once I get into CONFIG mode, it no longer works. I can run any command.

What am I missing that could be causing this?

Also, note that I have this auth set assigned to a group.

Thanks.

Jason

1 Accepted Solution

Accepted Solutions

Expected behavior, since we have seleted none in the authorization set...that is = no access.

You need to make a new set for limited group allowing certain commmands.

Check this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

View solution in original post

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

It seems that you are missing this command,

aaa authorization config-command

Regards,

~JG

Do rate helpful posts

That might be it, the command isn't there.

I'll try it and let you know if that was it.

Thanks.

Jason

Adding

aaa authorization config-command

worked.

However, I've got another issue (I think).

Other groups have "none" selected for the auth sets. When I log in as a user in one of those groups, I get an access denied error when I enter ANY command.

The only way that I've been able to work around this is to set the group to use group based command sets and permit everything.

Is there something else that I missed or is this necessary?

Here are my current AAA settings:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization exec no_tacacs none

aaa authorization config-command

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Thanks.

Jason

Expected behavior, since we have seleted none in the authorization set...that is = no access.

You need to make a new set for limited group allowing certain commmands.

Check this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: