10-01-2010 03:14 PM - edited 03-10-2019 05:27 PM
We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers. Here is what we did:
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly
Unmatched Commands - Deny
Commands Added
show
exit
* this should limit the user to the show and exit command only (correct)?
3) Created a group - HelpDesk with the following TACACS+ Settings
Shell (exec) is checked
Priviledge level is check with 15 as the assigned level
Assign a Shell Command Authorization Set for any network device - selected
ReadOnly - shell command autorization set seleted
When the user logs on to the router/switch it appears that he has full access. He can enter the enable command, config terminal command, etc. All we want him to be able to do is to issue the show command.
Any help would be appreciated.
Solved! Go to Solution.
10-01-2010 04:53 PM
Can you refer to this doc
and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
04-29-2013 11:29 AM
you also need to add permit
OR
You may check permit unmatched Args this option for exit and dir
Jatin Katyal
- Do rate helpful posts -
10-01-2010 04:53 PM
Can you refer to this doc
and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
04-26-2013 11:34 AM
Is there any way to give priviledge level 15 and deny write access (write command)?
04-26-2013 12:32 PM
Yes.
You can try this: Privilege for read-only access
Jatin Katyal
- Do rate helpful posts -
04-26-2013 01:39 PM
I tried that and could not get it to work.
I tried the following:
- 1 -
Shell Command Authorization Set
Deny
Unmatched Commands - show
Permit Unmatched Args - checked
Enable Options
Max Privilege for any AAA client - 1
Tacacs+
Shell Command - checked
Privilege level - 1
With the above, the user did not have the ability to do sh run. The user could not turn on privilege commands (enable) - access denied
- 2 -
Shell Command Authorization Set
Deny
Unmatched Commands - show
Permit Unmatched Args - checked
Enable Options
Max Privilege for any AAA client - 15
Tacacs+
Shell Command - checked
Privilege level - 15
With the above, the user had full read/write rights
Any other thoughts?
04-26-2013 02:30 PM
Dtom,
You need to give privilege 15 to both type of users. Now giving priv 15 does not mean that read-only user will be able to get full access. Command authorization work above privilege level.
Set enable and shell priv to 15
Rest your setting is all ok.
Regards,
~JG
Do rate helpful posts
04-29-2013 08:20 AM
I don't know what I am missing here. When I give privilege 15 the user had full access. Here is what I did:
- 1 -
Create Shell Command Autorization Sets - Read_Access
Deny - checked
Unmatched Commands - show
Permit Unmatched Args - checked
- 2 - Create Group - HelpDesk
Enable Options - Max Privlege for any AAA Client 15
Shell (exec) - checked
Shell Command Authorization Set - Assign a Shell Command Set for any network device- Read_Access
- 3 - User Settings
Group to which user is assigned HelpDesk
TACACS+ Enable Control - Use Group Level Settings
Shell Comand Authorization Set - As Group
04-29-2013 08:29 AM
Hi,
Are you sure you have this on the device (Switch/Router)?
aaa authorization config-commands aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local
If possible attach a screenshot of the configuration on ACS.
Rate if it helps
04-29-2013 09:07 AM
Here is my switch AAA config:
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 defalt group tacacs+ local
aaa authorization commands 1 defalt group tacacs+ local
aaa authorization commands 15 defalt group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
Here are screen shots for a user - robin.hood
04-29-2013 09:17 AM
Hi,
As per your configuration:
aaa authorization commands 0 defalt group tacacs+ local
aaa authorization commands 1 defalt group tacacs+ local
aaa authorization commands 15 defalt group tacacs+ local
All three lines have:
"defalt instead of default"
I am not sure if you just typed it wrong over here, if this is what you really have, then the IOS will consider this as the method list and will expect you to apply it on the vty or console lines (which is not mandatory, but it will not work until you apply it)
You have to use default, if you don't want method lists.
Rate if useful
04-29-2013 11:24 AM
What a dummy I am...typo. I changed the commands and I was able to login and run the show run command. However, I was not able to run exit and dir. What am I missing here? Here is a screen shot:
04-29-2013 11:29 AM
you also need to add permit
OR
You may check permit unmatched Args this option for exit and dir
Jatin Katyal
- Do rate helpful posts -
04-29-2013 01:21 PM
That was it. Thanks.
So, what is the easiest way to restrict a user to access only a certain device or certain subnet only?
04-29-2013 01:29 PM
Read this doc:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide