Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS configuration for Authorization

Hi,

I'm checking if some can help me out with a specific configuration.

We are deploying the Cisco ACS in our network and have configured for the Authorization AAA to our AD.

Now what we want to do is to give the technician normal access for monitoring an troubleshooting  which is only certain commands show* and allow them to use the enabled password to gain access to the conf t and other commands.

We have trying to give them:

Shell profiles Default Privilege: Static 10;

Maximum Privilege:  Static 10;

Command Sets:

Permit Show *

Deny Conf*

Deny Wr*

Deny Rel*

While do this if gives the message correctly when using conf t and give a message "Command Authorazation failed, but when typing enable not is happening.

What should be done to correctly configure this.

Patrick

10 REPLIES
Cisco Employee

ACS configuration for Authorization

Did you find this document in your research? If no then you may want to take a look at it.

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml

Also, please set the maximum privilege to 15 before you test command authorization.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS configuration for Authorization

Hi Jatin,

Thanks for the reply, Yes i have tried this but the problem that I want the limited access engineer to make use of the enable password for the to gain access to the conf t.

So same user who normally has limited access will change his priv level by using the enable password (or something else) for them to gain the total access for configuration of the equipement.

Thanks,

Patrick

Cisco Employee

ACS configuration for Authorization

Could you please share the output of "show run | in aaa" in your next reply.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS configuration for Authorization

Hi Jatin,

Yes of course:

See below.

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local aaa authentication login default group tacacs+

Thanks,

Patrick

Cisco Employee

ACS configuration for Authorization

I would also suggest you to have complete configuration for command authorization so add these two commands as well.

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

In order to present enable password mode to your technician (read-pnly users) you have to configure ACS like this.

let me know how it goes.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS configuration for Authorization

Jatin,

Ok almost there it is working but I cannot get the show run to work when in view-only and additionally the configured enable password on the router is not working anymore.

Can you help with this?

Patrick

Cisco Employee

ACS configuration for Authorization

so you're saying when you execute "show run", it says command authorization failed. If yes then I would be interested to see the syntax that you've defined on ACS under command sets. Also why enable authentication is not going to local database i.e router because in your configuration, you've defined that it should go and check enable password tacacs server first however if it doesn't work check locally defined enable password. Since your tacacs server is up and running, we have to use enable password from tacacs.

Here is what you have.

aaa authentication enable default group tacacs+ enable

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS configuration for Authorization

Jatin,

Hope it's clear the image.

Just changed the enable to local only.

Patrick

New Member

ACS configuration for Authorization

kindly find the link to below for the proper configuration sample for authorization.

https://supportforums.cisco.com/docs/DOC-16027

New Member

ACS configuration for Authorization

This didn't seem like it was design for one user to get all the priv for Show command. So we decided to use two users instead one with priv 15 with no wr mem or conf t and another with priv 15 with no restrictions.

Thanks

Patrick

372
Views
13
Helpful
10
Replies