Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS command authorization

i m not able to configure the command authorization. I obey the pattern that u send on the fourm, I did the same but still not getting user is able to do all the tasks.

i made a command authorization set as mentioned with show and deny it with unmatch argument.

because i want user only able to run show commands,

user have level 1 permission, it is also showing me in taccac administration that user have level 1 permission.

i did following configuration on cisco router for command authorization

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization config-commands

so many times i assing the user level 1 privilagte in group setting but still it is showing me in tacacs administration with privilage level 15.

6 REPLIES

Re: ACS command authorization

Hi Wasim,

If you are using command authorization then privilage doesn't matter.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Regards,

~JG

Do rate helpful posts

Community Member

Re: ACS command authorization

Thanks for the reply, but unfortunately it is not working for me.

I have made a group 10, add a user in it. I have made a command set and recall it in shell command.

user has priv 15. but when I enter the above mention commands, i am not able to do anything,

i m getting following error

PDC-Srv-3750-2(config)#aaa authorization config-commands

% Authorization failed.

PDC-Srv-3750-2(config)#

PDC-Srv-3750-2(config)#aaa accounting commands 1 default start-stop group tacacs+

% Authorization failed.

even my current session is not allowing me to do anything.

new telnet session is also not accepting the username/password that is configured in ACS.

Re: ACS command authorization

Wasim,

You need to make another shell command set that allows all commands.

Make a command set called admin and on the radio button clink PERMIT and hit submit/apply.

Now go to group you are part of and map newly created set.

It will now let you issue all commands.

Regards,

~JG

Community Member

Re: ACS command authorization

Thanks for the guidline,

but still confuse, bcz I have three groups one with admin user that has access to all network devices and for them there is no command set on this group.

This device belongs to that group has command set that allows only show commands, but earlier this device not allowing anyone to connect except the user of this group and that usr only run show command.

Why this device not allowing admin to login, after i remove old show command set and made a new command set with all permit it let me allowing in.

I want admin group to access all devices and do all things and one group to access specific devices and can perform only specific task, but admin on these devices can do all admin task.

One thing more, please tell me i also want to authenticate user at the time of login and at the time of enable mode, right now user able to login in by giving local enable password, i wana also authenticate user enable password define on ACS.

how to define enabel password on ACS and how to configure enable authentication device.

Community Member

Re: ACS command authorization

Everything is working fine for me, but I am not able to configure the enable mode authentication, I have set the ACS user password in Tacac+option tab.

and configure the device for enable mode authentication

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

But still after login user only able to enter in enable mode by giving locally configured password, not the password that configured in ACS.

Please help me out how to configure the device that both login and enable authentication controlled by ACS.

Community Member

Re: ACS command authorization

HI JG

I also tried what you said and it works, however this is a nice work around to the problem of getting ACS to do cmd authorization at other lower cmd levels, surely we should be able to implement this at other levels, so when we do auditing it reports its real level. I create a cmd auth set apply it to a user who has level 15 access and it works well. I then change the users level to something lower using the same cmd set and it will not work??

Any ideas??

462
Views
5
Helpful
6
Replies
CreatePlease to create content