11-10-2009 08:17 AM - edited 03-10-2019 04:47 PM
I'm trying to set up an authorization set to restrict users to certain commands. However, it seems like it works for some commands, but not for others.
In ENABLE mode, the auth set seems to work properly. However, once I get into CONFIG mode, it no longer works. I can run any command.
What am I missing that could be causing this?
Also, note that I have this auth set assigned to a group.
Thanks.
Jason
Solved! Go to Solution.
11-10-2009 10:45 AM
Expected behavior, since we have seleted none in the authorization set...that is = no access.
You need to make a new set for limited group allowing certain commmands.
Check this link,
Regards,
~JG
Do rate helpful posts
11-10-2009 08:23 AM
It seems that you are missing this command,
aaa authorization config-command
Regards,
~JG
Do rate helpful posts
11-10-2009 08:43 AM
That might be it, the command isn't there.
I'll try it and let you know if that was it.
Thanks.
Jason
11-10-2009 10:37 AM
Adding
aaa authorization config-command
worked.
However, I've got another issue (I think).
Other groups have "none" selected for the auth sets. When I log in as a user in one of those groups, I get an access denied error when I enter ANY command.
The only way that I've been able to work around this is to set the group to use group based command sets and permit everything.
Is there something else that I missed or is this necessary?
Here are my current AAA settings:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization exec no_tacacs none
aaa authorization config-command
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Thanks.
Jason
11-10-2009 10:45 AM
Expected behavior, since we have seleted none in the authorization set...that is = no access.
You need to make a new set for limited group allowing certain commmands.
Check this link,
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide