Users authorized commands

rrcarter79 · ‎01-15-2003

I want to restrict some users to "show running-config" command.

I have created a Shell Command Authorization Set with "show" command "permit running-config". Under the TACACS+ setting the Shell (exec) is selected and Privilege level with a value of 5. The SCAS is associated to the username.

Config on a Router:

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization exec vty group tacacs+ local

aaa authorization commands 5 vty group tacacs+

...

line vty 0 4

exec-timeout 30 0

password ***Deleted****

authorization exec vty

login authentication vty

The user gets the privilege of 5 when logged in but is unable to execute the command show running-config.

Thanks

4brown · ‎01-15-2003

sh run is a priv lvl 15 command by default. You can change it to level 5 with the:

privilege exec level 5 show running-config

command.

rrcarter79 · ‎01-15-2003

Yes that does work, but I would rather set this up using the Shell Command Authorization Set with the ACS server.

There are many more commands to include for different users and configuring every router and switch with each command required is a very large task.

How is this done with Shell Command Authorization Sets?

Thanks

4brown · ‎01-15-2003

Do you have:

authorization commands 5 vty

on the line vty ports? Wasn't specified in your earlier post.

rrcarter79 · ‎01-15-2003

Sorry - yes it is.

4brown · ‎01-15-2003

Try quoting "running-config"

If that doesn't work, try just permitting "run".

Pasting debug aaa authorization and debug tacacs+ may help identify the issue.

rrcarter79 · ‎01-15-2003

Using quotes does not work. The parameters inclosed in quotes disappears.

So I tried just permit run.

I logged in with username "username".

I gain access and get a priv of 5 and a # sign prompt.

Issue a sho run and receive an error.

------ Login Session ----------

Username: username

Password:

LabrtrB#sho priv

Current privilege level is 5

LabrtrB#

LabrtrB#sho run

^

% Invalid input detected at '^' marker.

LabrtrB#

Here are the debugs:

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): Port='tty2' list='vty' service=EXEC

Jan 15 22:11:52.728: AAA/AUTHOR/EXEC: tty2 (3878016830) user='username'

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): send AV service=shell

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): send AV cmd*

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): found list "vty"

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): Method=tacacs+ (tacacs+)

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): user=username

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): send AV service=shell

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): send AV cmd*

Jan 15 22:11:52.932: AAA/AUTHOR (3878016830): Post authorization status = PASS_ADD

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV priv-lvl=5

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Authorization successful

Jan 15 22:12:49.963: AAA/MEMORY: free_user (0x629A26BC) user='username' ruser=''

port='tty2' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

LabrtrB#debug tacacs

TACACS access control debugging is on

LabrtrB#

Jan 15 22:13:50.599: TAC+: send AUTHEN/START packet ver=192 id=1365478173

Jan 15 22:13:50.599: TAC+: Using default tacacs server-group "tacacs+" list.

Jan 15 22:13:50.599: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

Jan 15 22:13:50.599: TAC+: Opened TCP/IP handle 0x62A8E470 to x.x.x.x/49

Jan 15 22:13:50.599: TAC+: x.x.x.x (1365478173) AUTHEN/START/LOGIN/ASCII queued

Jan 15 22:13:50.799: TAC+: (1365478173) AUTHEN/START/LOGIN/ASCII processed

Jan 15 22:13:50.799: TAC+: ver=192 id=1365478173 received AUTHEN status = GETUSER

Jan 15 22:13:53.499: TAC+: send AUTHEN/CONT packet id=1365478173

Jan 15 22:13:53.503: TAC+: x.x.x.x (1365478173) AUTHEN/CONT queued

Jan 15 22:13:53.703: TAC+: (1365478173) AUTHEN/CONT processed

Jan 15 22:13:53.703: TAC+: ver=192 id=1365478173 received AUTHEN status = GETPASS

Jan 15 22:13:55.435: TAC+: send AUTHEN/CONT packet id=1365478173

Jan 15 22:13:55.435: TAC+: x.x.x.x (1365478173) AUTHEN/CONT queued

Jan 15 22:13:55.635: TAC+: (1365478173) AUTHEN/CONT processed

Jan 15 22:13:55.635: TAC+: ver=192 id=1365478173 received AUTHEN status = PASS

Jan 15 22:13:55.635: TAC+: Closing TCP/IP 0x62A8E470 connection to x.x.x.x/49

Jan 15 22:13:55.635: TAC+: using previously set server x.x.x.x from group tacacs+

Jan 15 22:13:55.635: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

Jan 15 22:13:55.639: TAC+: Opened TCP/IP handle 0x62A8E8FC to x.x.x.x/49

Jan 15 22:13:55.639: TAC+: Opened x.x.x.x index=1

Jan 15 22:13:55.639: TAC+: x.x.x.x (305665778) AUTHOR/START queued

Jan 15 22:13:55.839: TAC+: (305665778) AUTHOR/START processed

Jan 15 22:13:55.839: TAC+: (305665778): received author response status = PASS_ADD

Jan 15 22:13:55.839: TAC+: Closing TCP/IP 0x62A8E8FC connection to x.x.x.x/49

Jan 15 22:13:55.839: TAC+: Received Attribute "priv-lvl=5"

4brown · ‎01-16-2003

The IOS doesn't recognize the command because you are coming in at Privilege Level 5. If you don't want to use the Privilege Exec command, try this. Assign this group Privilege Level 15, and enforce authorization for priv 15:

aaa authorization commands 15 vty tacacs+

line vty 0 4

authorization commands 15 vty

Then, for this group, deny all the commands you want. sh run will be permitted since they are priv 15, but the commands you deny in the ACS will be denied.

rrcarter79 · ‎01-17-2003

Actually I assigned the priv level 15 to the user.

router config:

aaa authorization commands 15 vty group tacacs+

line vty 0 4

exec-timeout 30 0

password 7 082C5F4B05180719171F

authorization commands 15 vty

authorization exec vty

login authentication vty

Then for the user I allow the command sho running-config. Since this is the only priv level 15 command the user can run, it shows the configuration.

So the commands don't have to be assigned to a different level. This process assigns the onyl commands the user can execute.

Understanding this now lets me customize the commands any user can execute. This is what I was wanting to do.

Thanks for the help! I have a much better understanding now.

rrcarter79 · ‎01-17-2003

I spoke too soon.

I am not able to control the configuration commands.

For example letting a user only change description on a line.

4brown · ‎01-17-2003

Command authorization for config mode commands needs to be permitted:

aaa authorization config-commands

If this is not enabled, once in config mode, no requests are sent to the AAA server.

rrcarter79 · ‎01-17-2003

I've added aaa authorization config-commands to no avail.

I assume it will authorize config-commands against the command authorization set.

The only config-command that I have in the command authorization set is "location"

4brown · ‎01-17-2003

Post debug aaa author showing it fail...

rrcarter79 · ‎01-21-2003

Here is the login session and debug. I have allowed "config" with "permit term" and "location".

I don't want the user to access the interfaces or lines.

Login:

Unauthorized access is strictly prohibited!

User Access Verification

Username: username

Password:

LabrtrB#config t

Enter configuration commands, one per line. End with CNTL/Z.

LabrtrB(config)#line vty 0 4

LabrtrB(config-line)#ex

% Ambiguous command: "ex"

LabrtrB(config-line)#exit

LabrtrB(config)#

LabrtrB(config)#end

LabrtrB#

Debug:

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 21 11:51:02.300: AAA: parse name=tty3 idb type=-1 tty=-1

Jan 21 11:51:02.300: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jan 21 11:51:02.300: AAA/MEMORY: create_user (0x629B4624) user='' ruser='' port='tty3' rem_addr='16.47.225.189' authen_type=ASCII service=LOGIN priv=1

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): Port='tty3' list='vty' service=EXEC

Jan 21 11:51:11.960: AAA/AUTHOR/EXEC: tty3 (559394384) user='username'

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): send AV service=shell

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): send AV cmd*

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): found list "vty"

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): Method=tacacs+ (tacacs+)

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): user=username

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): send AV service=shell

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): send AV cmd*

Jan 21 11:51:12.164: AAA/AUTHOR (559394384): Post authorization status = PASS_ADD

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Authorization successful

Jan 21 11:51:15.188: tty3 AAA/AUTHOR/CMD (3225337257): Port='tty3' list='vty' service=CMD

Jan 21 11:51:15.188: AAA/AUTHOR/CMD: tty3 (3225337257) user='username'

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV service=shell

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd=configure

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd-arg=terminal

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd-arg=

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): found list "vty"

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): Method=tacacs+ (tacacs+)

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): user=username

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV service=shell

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd=configure

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd-arg=terminal

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd-arg=

Jan 21 11:51:15.392: AAA/AUTHOR (3225337257): Post authorization status = PASS_ADD

Jan 21 11:51:20.420: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:26.816: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:32.408: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:32.408: %SYS-5-CONFIG_I: Configured from console by username on vty1 (16.47.225.189)

Jan 21 11:51:42.128: %SYS-4-SNMP_WRITENET: SNMP WriteNet request. Writing current configuration to 16.22.4.5un all

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): Port='tty2' list='vty' service=CMD

Jan 21 11:51:48.048: AAA/AUTHOR/CMD: tty2 (1731012520) user='admin'

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV service=shell

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd=undebug

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd-arg=all

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd-arg=

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): found list "vty"

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): Method=tacacs+ (tacacs+)

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): user=admin

All possible debugging has been turned off

LabrtrB#

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV service=shell

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd=undebug

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd-arg=all

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd-arg=

Jan 21 11:51:48.252: AAA/AUTHOR (1731012520): Post authorization status = PASS_ADD

4brown · ‎01-21-2003

You need to have config-command authorization as specified in the previous post so it sends commands in config mode to the aaa server for approval. Note in your post, config command authorization is not configured.

Once it is, it will send each command in config mode to be permitted or denied to the AAA server. So if you want to deny access to line or interfaces, then specify these commands denied in the server.

When you enable it, look at your debug aaa authorization, you should see if the command is allowed or denied in the authorization status. That tells you if you have configuration issues in the AAA server.