ACS Read Only Device Access

Answered Question
Oct 1st, 2010
User Badges:

We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers.  Here is what we did:


1) Created a user in ACS


2) Create Shell command Autorization Set - ReadOnly

          Unmatched Commands - Deny

          Commands Added

               show

               exit

          * this should limit the user to the show and exit command only (correct)?


3) Created a group - HelpDesk with the following TACACS+ Settings

          Shell (exec) is checked

          Priviledge level is check with 15 as the assigned level

          Assign a Shell Command Authorization Set for any network device - selected

          ReadOnly - shell command autorization set seleted


When the user logs on to the router/switch it appears that he has full access.  He can enter the enable command, config terminal command, etc.  All we want him to be able to do is to issue the show command.


Any help would be appreciated.

Correct Answer by Jatin Katyal about 3 years 10 months ago

you also need to add permit for exit and dir on the permit unmatched Args.


OR


You may check permit unmatched Args this option for exit and dir



Jatin Katyal


- Do rate helpful posts -

Correct Answer by aneelaka about 6 years 5 months ago

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also


aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
aneelaka Fri, 10/01/2010 - 16:53
User Badges:

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also


aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

dtom Fri, 04/26/2013 - 11:34
User Badges:

Is there any way to give priviledge level 15 and deny write access (write command)?

dtom Fri, 04/26/2013 - 13:39
User Badges:

I tried that and could not get it to work.


I tried the following:


- 1 -

Shell Command Authorization Set


Deny

Unmatched Commands - show

Permit Unmatched Args - checked


Enable Options

Max Privilege for any AAA client - 1


Tacacs+

Shell Command - checked

Privilege level - 1


With the above, the user did not have the ability to do sh run.  The user could not turn on privilege commands (enable) - access denied


- 2 -

Shell Command Authorization Set


Deny

Unmatched Commands - show

Permit Unmatched Args - checked


Enable Options

Max Privilege for any AAA client - 15


Tacacs+

Shell Command - checked

Privilege level - 15


With the above, the user had full read/write rights


Any other thoughts?

Jagdeep Gambhir Fri, 04/26/2013 - 14:30
User Badges:
  • Red, 2250 points or more

Dtom,


You need to give privilege 15 to both type of users. Now giving priv 15 does not mean that read-only user will be able to get full access. Command authorization work above privilege level.


Set enable and shell priv to 15


Rest your setting is all ok.



Regards,

~JG


Do rate helpful posts

dtom Mon, 04/29/2013 - 08:20
User Badges:

I don't know what I am missing here.  When I give privilege 15 the user had full access.  Here is what I did:


- 1 -

Create Shell Command Autorization Sets - Read_Access

  Deny - checked

  Unmatched Commands - show

  Permit Unmatched Args - checked


- 2 - Create Group - HelpDesk

  Enable Options - Max Privlege for any AAA Client 15

  Shell (exec) - checked

  Shell Command Authorization Set - Assign a Shell Command Set for any network device- Read_Access


- 3 -  User Settings

  Group to which user is assigned HelpDesk

  TACACS+ Enable Control - Use Group Level Settings

  Shell Comand Authorization Set - As Group

edwjames Mon, 04/29/2013 - 08:29
User Badges:
  • Silver, 250 points or more

Hi,


Are you sure you have this on the device (Switch/Router)?


aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local


If possible attach a screenshot of the configuration on ACS.


Rate if it helps

dtom Mon, 04/29/2013 - 09:07
User Badges:

Here is my switch AAA config:


aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

Here are screen shots for a user - robin.hood




edwjames Mon, 04/29/2013 - 09:17
User Badges:
  • Silver, 250 points or more

Hi,


As per your configuration:

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local



All three lines have:

"defalt instead of default"


I am not sure if you just typed it wrong over here, if this is what you really have, then the IOS will consider this as the method list and will expect you to apply it on the vty or console lines (which is not mandatory, but it will not work until you apply it)


You have to use default, if you don't want method lists.

Rate if useful

dtom Mon, 04/29/2013 - 11:24
User Badges:

What a dummy I am...typo.  I changed the commands and I was able to login and run the show run command.  However, I was not able to run exit and dir.  What am I missing here?  Here is a screen shot:


Correct Answer
Jatin Katyal Mon, 04/29/2013 - 11:29
User Badges:
  • Cisco Employee,

you also need to add permit for exit and dir on the permit unmatched Args.


OR


You may check permit unmatched Args this option for exit and dir



Jatin Katyal


- Do rate helpful posts -

dtom Mon, 04/29/2013 - 13:21
User Badges:

That was it.  Thanks.


So, what is the easiest way to restrict a user to access only a certain device or certain subnet only?

Actions

This Discussion