Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
1
Replies

AAA Command Authorization

srowles
Level 1
Level 1

‎10-04-2005 10:25 AM - edited ‎03-10-2019 02:19 PM

HI

I am configuring command authorization for our FWSM and switches. I seem to have it working OKish for the FWSM but I think I´m nissing something as far as the Switches go.

I basically have a user in a group which I have configured as follows under "Shell Command Authorization Set":

I have chosen "Per Group Command Authorization" with the "Unmatched Cisco IOS commands" set to deny.

I then have the following command set specified:

Command - SHOW

Arguments -

permit clock

permit route

permit access-list

permit run

On the FWSM these are the only commands that the user can use but on the Switches, all Show commands are available.

I have tried adding the following to the switches:

aaa authorization commands 0 default group Cajastur_ACS local

aaa authorization commands 1 default group Cajastur_ACS local

in addition to the following line which is always configured:

aaa authorization commands 15 default group Cajastur_ACS local

However on the switches I can still run the SHOW command with all arguments.

I must admit that I´m a bit confused too as to what checking or not checking the "Shell (exec)" option under Tacacs+ Settings will do for me. Any explanaition with regards to what this is for would also be appreciated.

The command authorization is working to a degree as I cannot enter config mode on the switches unless I specifically specify it on the ACS server. It´s really the granularity on the SHOW command that I´m after and an understanding of what the "Shell (exec)" option is needed for.

All comments greatly appreciated.

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎10-11-2005 06:40 AM

There shouldn't be any issues configuring the same on the FWSM. The commands are the same as on the

6.2 verison of a PIX. Please refer to the below url for the details on the aaa authorization command

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#1056043

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents