Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Authorization - ACS 3.0.2 on Win2K

Hi,

I want to restrict my Helpdesk 1st level support to these commands only:

show ver

show running-config

sh ip interface brief

ping

traceroute

logout

help

I created a Shell Command Authorization Set with only these commands available and associate these commands to a network group device. i don't want them to have enable privilege access. i assigned the users as priv level 5 on the acs server. I have these config on my switches/routers.

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login admin local

aaa authorization exec default group tacacs+

aaa authorization commands 5 default group tacacs+

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

I don't understand why it doest work. My Helpdesk users still able to access enable privilege access and have a lot more commands under priv level 5. Anybody can point me on the right direction?

thanks,

jonathan

12 REPLIES
Cisco Employee

Re: AAA Authorization - ACS 3.0.2 on Win2K

Difficult to say without seeing the TACACS server config. What do you mean that you associated the command set with a Network Device Group? You should associate the command set with a user or a group of users, not with devices.

Under the user or group profile you'd need the following:

- Shell (exec) checked

- Privilege level set to 5

- "Assign a Shell Command Authorization Set for any network device" selected

Then under the Shell Command Authorization Set:

- Unmatched Commands set to Deny

- "show" in the left hand window, with "permit ver", "permit running-config" and "permit ip interface brief" in the right hand window, and Permit Unmatched Args unchecked

- "ping" in the left hand window, with nothing in the right hand window and Permit Unmatched Args checked.

- "traceroute" same as for "ping"

- "logout" in the left hand window, nothing in the right hand window

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Hi,

I redo my tacacs server config and did what you have outlined with the same config on my cisco device.

During login, the privilege is at level 5 alright but the commands available are that of level one. Moreso, "enable" command is also available and if the user knows the enable password, this user will have access the global config and configuration config. Isn't the tacacs config you have outlined would limit the user to those commands only?

Im at loss right now. :)

Cisco Employee

Re: AAA Authorization - ACS 3.0.2 on Win2K

OK. You're doing authorization for level 5 commands on this router, but you haven't actually put any commands in at level 5. Even though the user comes in at level 5, all commands are still either at level 1 or 15. If you want to limit the users, just do:

> aaa authorization commands 1 default group tacacs

This way all commands they type in will be authorized against the TACACS server. Make sure that you allow a back-door to get you into enable mode, otherwise you may well lock yourself out of this router. Ensure that you have at least one other user that has no command restrictions set, or better yet, do the following:

> aaa authentication login console none

> aaa authorization commands 1 console none

> line con 0

> login authentication console

> authorization commands 1 console

This way your console port will always be open.

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Hi,

Actually I want to put specific commands on level 5 that a user can only issue. My problem is that, do i have to do that on the router/switches or on the tacacs server. I only want to have these users these commands:

show version

show running-config

show ip interface brief

ping

traceroute

Can you show me how to configure this at level 5?

Thanks,

jonathan

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Use the privilege-exec command in the devices such as:

privilege-exec level 5 show version

Cisco Employee

Re: AAA Authorization - ACS 3.0.2 on Win2K

You can either put them into level 5 on the router itself, as the previous person said, or just do it how I told you. This way all commands entered will be authorized against the TACACS server, and only the ones you have specifically entered will be allowed for those users with a Shell Command Authorization set against them. For everyone else you can simply allow all commands to be entered.

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Hi,

Thanks for all your help. I have it finally running. Well, except for the blank page display for issuing 'sh run' from lower level privilege. i've read somewhere that it will only show what the user has configured. but since lower level users have no rights to do configuration, there is nothing to show. is there any workaround to this?

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Check this out: http://www.cisco.com/warp/public/63/showrun.shtml

It may help you.

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Thank you. These are all of great help.

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Hi,

I have another set of problem. I have this for my NAS config:

aaa new-model

aaa authentication login default group tacacs+ none

aaa authentication login no_authen none

aaa authorization exec default group tacacs+ none

aaa authorization commands 0 group tacacs+ none

aaa authorization commands 1 group tacacs+ none

aaa authorization commands 15 group tacacs+ none

aaa authorization config-commands

the config works fine with telnet access. now im having a problem doing console. how will i do it so that these authorizations will not be applied to my console. Meaning, i want to have full privilege if i connect to console.

Many thanks,

jonathan

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Jonathan,

The 4th reply, by gfullage, in this conversation tells how to do this.

gfullage recommends:

Ensure that you have at least one other user that has no command restrictions set, or better yet, do the following:

> aaa authentication login console none

> aaa authorization commands 1 console none

> line con 0

> login authentication console

> authorization commands 1 console

This way your console port will always be open.

New Member

Re: AAA Authorization - ACS 3.0.2 on Win2K

Thank you.

180
Views
0
Helpful
12
Replies
CreatePlease login to create content