Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.2 Command Authorization

Hi Everyone,

This is my first post. And im not quite sure if this is the right place so here it is

I have several cisco devices and i want my colleauges to have a limited access to it wherein they're only allowed specific commands. So I put up an ACS 4.2 in place with user authenticated against active directory accounts.

Im done with the authentication part, and its perfectly working (i guess). I create three user group where i can attached a comman authorization sets

Shell command autorization sets

GROUP-80

Allow commands (the rest are deny)

show *

enable *

configure *

end *

exit *

GROUP-90

Deny commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

GROUP-100

Allow all

IOS Configuration

aaa new-model

aaa authentication login default local

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

aaa session-id common

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

tacacs-server host 172.16.8.115 single-connection

tacacs-server host 172.16.8.112 single-connection

tacacs-server key 7 0300520C0F1B204F4F0A0A54

line vty 0 4

access-class 50 in

privilege level 15

authorization exec THOR1

login authentication THEN1

transport input ssh

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS 4.2 Command Authorization

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
4 REPLIES

Re: ACS 4.2 Command Authorization

What is you question?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Re: ACS 4.2 Command Authorization

ow im sorry.. i forgot

how would i accomplish these via acs?

three groups. group 100, 90 and 80

group 100 - allow all commands

group 90 - allow all except these below commands ( * - any arguments) including all group-80 commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

group 80 - allow only below commands

show *

enable *

configure *

end

exit

In my initial post is the IOS configuration of my routers/switches. Attached the group-90 shell command authorization set from ACS

Eventhough the user is at group-90, all of the commands are still being accepted by the device

Here's the debug from the console while I successfully login using a group-90 user account and typed "no tacacs-server...". Im expecting my commands will not be permitted but i was still able to execute it

Jul 16 11:49:59.502: %SSH-5-SSH2_USERAUTH: User 'sdesk' authentication for SSH2 Session from 172.16.11.225 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

Jul 16 11:49:59.510: TPLUS: Queuing AAA Authorization request 16475 for processing

Jul 16 11:49:59.510: TPLUS: processing authorization request id 16475

Jul 16 11:49:59.510: TPLUS: Protocol set to None .....Skipping

Jul 16 11:49:59.510: TPLUS: Sending AV service=shell

Jul 16 11:49:59.510: TPLUS: Sending AV cmd*

Jul 16 11:49:59.510: TPLUS: Authorization request created for 16475(sdesk)

Jul 16 11:49:59.510: TPLUS: using previously set server 172.16.8.115 from group tacacs+

Jul 16 11:49:59.510: TPLUS(0000405B)/0/IDLE/662A3E14: got immediate connect on new 0

Jul 16 11:49:59.510: TPLUS(0000405B)/0/WRITE/662A3E14: Started 5 sec timeout

Jul 16 11:49:59.514: TPLUS(0000405B)/0/WRITE: wrote entire 63 bytes request

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 12 header bytes (expect 6 bytes)

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 18 bytes response

Jul 16 11:49:59.994: TPLUS(0000405B)/0/662A3E14: Processing the reply packet

Jul 16 11:49:59.994: TPLUS: received authorization response for 16475: PASS

It'll be greatly appreciated if you could help me figure this out

Thanks in advance...

Re: ACS 4.2 Command Authorization

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Re: ACS 4.2 Command Authorization

Thanks Abdullah for the link

But it took me quite a while before i could correctly figure the sets of commands

Really appreciate your help

And for those of you who have the same case, here's a quick template you that you can follow

1630
Views
0
Helpful
4
Replies
This widget could not be displayed.