02-05-2007 06:29 AM - edited 03-10-2019 02:58 PM
Hi Everyone,
I have a situation that is driving me crazy.
I am using Cisco Freeware TACACS running on RedHat
Enterprise Linux 3. I've modified the source code
so that I can assign each individual users his/her
own enable password. So far so good.
I create two groups: group_A and group_S. group_A
is for advanced users and group_S is for super
users. Users that belong to group_A can have
privilege level 15 but there are certain commands
that they can not perform such as "write mem"
or "reload". users that belong to group_S can do
EVERYTHING.
Here is my configuration on the TACACS configuration
file:
user = xyz {
member = admin
name = "User X"
login = des 6.z8oIm9UGHo
}
user = $xyz$ {
member = admin
name = "User X"
login = des c2bUC43cmsac.
}
user = abc {
member = advanced
name = "User abc"
login = cleartext "cisco123"
}
user = $abc$ {
member = advanced
name = "User abc"
login = cleartext "cisco123"
}
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
}
group = admin {
default service = permit
}
configuration of the router:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa session-id common
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
However, what I would like to do is to assign users
in group_A the ability to go into "configuration t"
but I do NOT want them to have the ability to peform
"no tacacs-server host x.x.x.x key cisco". Furthermore,
I would like to do everything via TACACS, I don't
want configure "privilege level" on the router itself.
Is that possible? Thanks.
David
02-09-2007 10:09 AM
Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html
02-09-2007 07:15 PM
You sound like a sale guy. I am not interested
in Cisco Secure ACS. I am using Freeware
TACACS and I would like to know how I can do
this with Freeware TACACS. Thanks.
David
02-13-2007 07:39 AM
Hi,
First you will need "aaa authorization config-commands" on the device.
Next you will have to setup group_a to permit everything except deny "write mem", "tacacs-server" etc.
HTH
Regards,
Vivek
02-14-2007 10:14 AM
Hi Vivek,
your provided worked wonderfully. It works very well with my Freeware TACACS+. Check this
out:
CiscoIOS#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CisciIOS(config)#int lo0
Command authorization failed.
^
% Invalid input detected at '^' marker.
CiscoIOS(config)#no tacacs-server host 192.168.15.101 key cisco
Command authorization failed.
% Incomplete command.
CiscoIOS(config)#
Thanks again.
02-14-2007 10:17 AM
Hi,
Glad it worked. Do rate.
Regards,
Vivek
04-03-2007 08:18 AM
Hi David,
I have some questions about authorization commands set using in CS ACS.
I want to control many line commands in global configuration mode such as aaa, username, crypto. ACS don't permit this with authorization commands set. do you know how i can control these commands
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide