Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA Authorization design

I'm configuring several switches and routers for TACACS with ACS SE. I have a need to do three levels of access, the groups are as follows:

1. Normal read-only access.

2. Full access with the exception of config t.

3. Full access.

What would be the best way to achieve this goal, I can see that if I create Shell Command Authorization sets on the ACS, I can configure one for group 1 and one for group 3. But will I be able to for Group 2? Is there a way to allow all, but explicitly block one command? Following this page: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml leads me to believe that the capability may exist, but I have no way to confirm at the moment.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA Authorization design

Please see the attachment.

After the implementation user will be able to do every thing except config t.

Regards,

~JG

Do rate helpful post

4 REPLIES

Re: AAA Authorization design

With command authorization you can control every single command that you want user should be allowed. It covers all mode, enable , user and config mode.

I will post the screen shot shortly.

Regards,

~JG

Re: AAA Authorization design

Please see the attachment.

After the implementation user will be able to do every thing except config t.

Regards,

~JG

Do rate helpful post

Community Member

Re: AAA Authorization design

Quick follow-up question, what configuration is required on the switch/router for that functionality?

Re: AAA Authorization design

Here are the config required for setting up aaa authentication and authorization.

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

All the best !

Regards,

~JG

336
Views
10
Helpful
4
Replies
CreatePlease to create content