Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS Read Only Device Access

We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers.  Here is what we did:

1) Created a user in ACS

2) Create Shell command Autorization Set - ReadOnly

          Unmatched Commands - Deny

          Commands Added

               show

               exit

          * this should limit the user to the show and exit command only (correct)?

3) Created a group - HelpDesk with the following TACACS+ Settings

          Shell (exec) is checked

          Priviledge level is check with 15 as the assigned level

          Assign a Shell Command Authorization Set for any network device - selected

          ReadOnly - shell command autorization set seleted

When the user logs on to the router/switch it appears that he has full access.  He can enter the enable command, config terminal command, etc.  All we want him to be able to do is to issue the show command.

Any help would be appreciated.

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: ACS Read Only Device Access

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

Cisco Employee

ACS Read Only Device Access

you also need to add permit for exit and dir on the permit unmatched Args.

OR

You may check permit unmatched Args this option for exit and dir

Jatin Katyal


- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
13 REPLIES
New Member

Re: ACS Read Only Device Access

Can you refer to this doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

New Member

ACS Read Only Device Access

Is there any way to give priviledge level 15 and deny write access (write command)?

Cisco Employee

ACS Read Only Device Access

Yes.

You can try this: Privilege for read-only access

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Jatin Katyal


- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS Read Only Device Access

I tried that and could not get it to work.

I tried the following:

- 1 -

Shell Command Authorization Set

Deny

Unmatched Commands - show

Permit Unmatched Args - checked

Enable Options

Max Privilege for any AAA client - 1

Tacacs+

Shell Command - checked

Privilege level - 1

With the above, the user did not have the ability to do sh run.  The user could not turn on privilege commands (enable) - access denied

- 2 -

Shell Command Authorization Set

Deny

Unmatched Commands - show

Permit Unmatched Args - checked

Enable Options

Max Privilege for any AAA client - 15

Tacacs+

Shell Command - checked

Privilege level - 15

With the above, the user had full read/write rights

Any other thoughts?

ACS Read Only Device Access

Dtom,

You need to give privilege 15 to both type of users. Now giving priv 15 does not mean that read-only user will be able to get full access. Command authorization work above privilege level.

Set enable and shell priv to 15

Rest your setting is all ok.

Regards,

~JG

Do rate helpful posts

New Member

ACS Read Only Device Access

I don't know what I am missing here.  When I give privilege 15 the user had full access.  Here is what I did:

- 1 -

Create Shell Command Autorization Sets - Read_Access

  Deny - checked

  Unmatched Commands - show

  Permit Unmatched Args - checked

- 2 - Create Group - HelpDesk

  Enable Options - Max Privlege for any AAA Client 15

  Shell (exec) - checked

  Shell Command Authorization Set - Assign a Shell Command Set for any network device- Read_Access

- 3 -  User Settings

  Group to which user is assigned HelpDesk

  TACACS+ Enable Control - Use Group Level Settings

  Shell Comand Authorization Set - As Group

Silver

ACS Read Only Device Access

Hi,

Are you sure you have this on the device (Switch/Router)?

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

If possible attach a screenshot of the configuration on ACS.

Rate if it helps

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

ACS Read Only Device Access

Here is my switch AAA config:

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

Here are screen shots for a user - robin.hood

Silver

ACS Read Only Device Access

Hi,

As per your configuration:

aaa authorization commands 0 defalt group tacacs+ local

aaa authorization commands 1 defalt group tacacs+ local

aaa authorization commands 15 defalt group tacacs+ local

All three lines have:

"defalt instead of default"

I am not sure if you just typed it wrong over here, if this is what you really have, then the IOS will consider this as the method list and will expect you to apply it on the vty or console lines (which is not mandatory, but it will not work until you apply it)

You have to use default, if you don't want method lists.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

ACS Read Only Device Access

What a dummy I am...typo.  I changed the commands and I was able to login and run the show run command.  However, I was not able to run exit and dir.  What am I missing here?  Here is a screen shot:

Cisco Employee

ACS Read Only Device Access

you also need to add permit for exit and dir on the permit unmatched Args.

OR

You may check permit unmatched Args this option for exit and dir

Jatin Katyal


- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS Read Only Device Access

That was it.  Thanks.

So, what is the easiest way to restrict a user to access only a certain device or certain subnet only?

Cisco Employee

ACS Read Only Device Access

Read this doc:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Jatin Katyal


- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
6150
Views
25
Helpful
13
Replies