Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1126
Views
0
Helpful
5
Replies

AAA command authorization

costin.vilcu
Level 1
Level 1

‎02-26-2007 08:30 AM - edited ‎03-10-2019 03:00 PM

Hi everyone,

can someone tell me how to i configure a router() and the ACS 4.1 to only permit some commnads for some users. To be more specific i want to know how will i configure it to let some users issue just the "shutdown" and "no shutdown" commands on interfaces?

I already configured the ACS and the router not to allow some users issue the "configure" commnand and it works, but this "shut, no shut" thing is more tricky...

thanks in advance

Labels:
0 Helpful
5 Replies 5

daviddtran
Level 1
Level 1

‎02-26-2007 08:41 AM

I am not an expert with Cisco ACS 4.1 (even

though I have one running the production

environment). I have love-hate relationship

with windows so I am afraid to use it for

my production environment. I am much more

familiar with Cisco Freeware TACACS+.

This is what I have in my TACACS+ config:

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = interface { permit .* }

}

user = adv {

member = advanced

name = "Advanced User"

login = cleartext "adv123"

# login = des DJVS9kfrcLbus

}

user = $adv$ {

member = advanced

name = "Advanced User"

login = cleartext "adv1234"

# login = des W/3UA7J1cz3sQ

}

Check this out when I log into the router:

Juniper>en

Password:

Juniper#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Juniper(config)#int lo0

Juniper(config-if)#shut

Command authorization failed.

% Incomplete command.

Juniper(config-if)#no shut

Command authorization failed.

% Incomplete command.

Juniper(config-if)#exit

Juniper(config)#exit

Juniper#

David

0 Helpful

costin.vilcu
Level 1
Level 1
In response to daviddtran

‎02-26-2007 09:05 AM

Thank you David,

it works indeed, but id doesn't solve my issue;

you didn't tell me neither how to do the aaa authorization on routers for this case neither how to configure the ACS and i don't know how to match the Freeware Tacacs commands in ACS.

But thank you again

0 Helpful

daviddtran
Level 1
Level 1
In response to costin.vilcu

‎02-26-2007 10:15 AM

hi,

On the Cisc0 router, the configuration is

quite simple. I will look into ACS and find

out how to do this. I guess I have to learn

how to use ACS eventually.

Below is the configuration on the router:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

tacacs-server host 192.168.15.10 key 7 1446405858517C

tacacs-server directed-request

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

login authentication notac

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

0 Helpful

costin.vilcu
Level 1
Level 1
In response to daviddtran

‎02-26-2007 01:37 PM

Thank you, David. So that is the router part, i did it almost like you, but i didn't know that i should put all 0,1 and 15 level authorization comands, i only put "aaa authorization commands 15 default group tacacs+ if-authenticated none".

And another question if you don't mind, what is the use of the "aaa authorization config-commands" command?

thanks

0 Helpful

daviddtran
Level 1
Level 1
In response to costin.vilcu

‎02-26-2007 02:14 PM

aaa authorization config-commands

This command allows you to give users comand

inside the config mode but not allowing them

from doing specific things such as "int lo0, no shut".

David

0 Helpful
Customers Also Viewed These Support Documents