Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA, Tacacs+ and ACS

I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.

What I have so far on the switch is

enable secret 5 removed

username admin privilege 15 password 7 removed

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

The local admin logins in perfectly fine when the switch is not connected to the network.

When I connect the switch to the network and login using my AD credentials it works a treat.

When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below

% Error in authentication.

.Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console

I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.

I'm at a loss to know why this isn't work so any help would be much appreciated.

Thanks

Jon

12 REPLIES
Cisco Employee

AAA, Tacacs+ and ACS

what error do you see on ACS 4.1 > reports and activity > failed attempt.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA, Tacacs+ and ACS

The error ACS is reporting is User exceeded max sessions

Checked max session for the group and they're set at unlimited.

Cisco Employee

Re: AAA, Tacacs+ and ACS

Please make sure we have nothing configured on the user level because user settings always take precedence over group. Also, please post the screen shot of max session settings from group level.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA, Tacacs+ and ACS

See below group and user Max session settings.

Cisco Employee

Re: AAA, Tacacs+ and ACS

The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.

You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.

Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

You would see few examples of read-only access and read-write access.

You may also let me know what all command you would like to allow for read-only access.

Please feel free to let me know if you need any further assistance.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA, Tacacs+ and ACS

I flattened the aaa config on the switch and started from scratch on the ACS and configured both as per the Cisco doc you shared with the addition of the aaa authentication login default group tacacs+ local.

When I came to the user config it asks to assign the command authorisation set at the user level as well as the group level, I don't have the option within ACS to assign any command authorisation sets at the user leve.

When I tested the config by logging in with the restrictive access account it didn't restrict any of the commands and allowed everything.

Thanks

Cisco Employee

Re: AAA, Tacacs+ and ACS

In order to assign shell command authorization on the user level, please check the option under interface configuration > Tacacs+ (Cisco) > Check Shell (exec) under user as well.

To verify why it's not restricting the user with read-only access, please post the output of

show run | in aaa

I need to see if you have command authorization configured correctly.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA, Tacacs+ and ACS

see below aaa output

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa session-id common

Cisco Employee

Re: AAA, Tacacs+ and ACS

Seems fine. Can you show me how you have created restricted command set on ACS and where we have applied.

If that would look good, we will fetch the following debugs

debug tacacs+

debug aaa authentication

debug aaa authorization

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA, Tacacs+ and ACS

User

Group

Cisco Employee

Re: AAA, Tacacs+ and ACS

that looks good too

What all have you tried in your testing? Can you pick any example that shouldn't work for you and it's working.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA, Tacacs+ and ACS

I've logged in the a test account called admin which is part of the Restrict Access group and the users configured for the command set as well.

When I've logged in I've done the following commands

conf t

interface fa0/3

duplex full

which have all worked.

Thanks

404
Views
10
Helpful
12
Replies