02-26-2007 08:30 AM - edited 03-10-2019 03:00 PM
Hi everyone,
can someone tell me how to i configure a router() and the ACS 4.1 to only permit some commnads for some users. To be more specific i want to know how will i configure it to let some users issue just the "shutdown" and "no shutdown" commands on interfaces?
I already configured the ACS and the router not to allow some users issue the "configure" commnand and it works, but this "shut, no shut" thing is more tricky...
thanks in advance
02-26-2007 08:41 AM
I am not an expert with Cisco ACS 4.1 (even
though I have one running the production
environment). I have love-hate relationship
with windows so I am afraid to use it for
my production environment. I am much more
familiar with Cisco Freeware TACACS+.
This is what I have in my TACACS+ config:
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = interface { permit .* }
}
user = adv {
member = advanced
name = "Advanced User"
login = cleartext "adv123"
# login = des DJVS9kfrcLbus
}
user = $adv$ {
member = advanced
name = "Advanced User"
login = cleartext "adv1234"
# login = des W/3UA7J1cz3sQ
}
Check this out when I log into the router:
Juniper>en
Password:
Juniper#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Juniper(config)#int lo0
Juniper(config-if)#shut
Command authorization failed.
% Incomplete command.
Juniper(config-if)#no shut
Command authorization failed.
% Incomplete command.
Juniper(config-if)#exit
Juniper(config)#exit
Juniper#
David
02-26-2007 09:05 AM
Thank you David,
it works indeed, but id doesn't solve my issue;
you didn't tell me neither how to do the aaa authorization on routers for this case neither how to configure the ACS and i don't know how to match the Freeware Tacacs commands in ACS.
But thank you again
02-26-2007 10:15 AM
hi,
On the Cisc0 router, the configuration is
quite simple. I will look into ACS and find
out how to do this. I guess I have to learn
how to use ACS eventually.
Below is the configuration on the router:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
02-26-2007 01:37 PM
Thank you, David. So that is the router part, i did it almost like you, but i didn't know that i should put all 0,1 and 15 level authorization comands, i only put "aaa authorization commands 15 default group tacacs+ if-authenticated none".
And another question if you don't mind, what is the use of the "aaa authorization config-commands" command?
thanks
02-26-2007 02:14 PM
aaa authorization config-commands
This command allows you to give users comand
inside the config mode but not allowing them
from doing specific things such as "int lo0, no shut".
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide