Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".
(2) Group Setup.
Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".
For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.
For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".
(3) User Setup.
Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.
(4) The AAA commands on the routers/switches are as follows:
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.10.10.10 key 0 tacacskey
When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?
I have just been working with the same thing, and done som reading on safaribooksonline.com
In the book "Cisco Access Control Security: AAA Administrative Services"
By Brandon Carroll there is a chapter about "Configuring Shared Profile Components" under "Enterprise AAA and Cisco Secure Access Control Server". In one of the illustrations he explain how to permitt sub-arguments.
He also says that "The capability of command authorization is available in most Cisco routers and PIX Firewalls at the local level", and I have not managed to make it work on switches. So if you made it I have to keep on working with it.
I have tried configuring similar shell command authorization set that explicitly permits only "show running-config". Logged in to a Cat3560 using a user account attached to this authorization set, I couldn't issue the command "sh run". Had not tried on a router.
By the way, for Group Setup what values do you configure for the following parameters:
(1) Under Enable Options - "Max Privilege for any AAA Client"
>> I selected Level 7.
(2) Under TACACS+ Settings - "Privilege level"
>> I checked "Shell (exec)" and set level 7.
What's the difference between the Privilege level for Enable Options and the one for TACACS+ Settings?
Is it default behavior that we can't bring down the command "show run" to lower privilege level?
If I configured the following on the IOS devices instead:
username test privilege 7 password 0 test
privilege exec level 7 show running-config
line vty 0 4
When user "test" telnets in and issues "sh run", he sees a blank config. Why is it so?
My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.
See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.
The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...