Solved: ACS shell authorization

royalblues · ‎12-24-2006

IS it possible to configure shell authorization when the privelege level is set to anything less than 15

What i am doing right now is configuring a level 15 access and restricting the commands through shell sets. When i try to assign any other privelege level it doesn't seem to work.

HTH

Narayan

Vivek Santuka · ‎12-27-2006

Narayan,

Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.

So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.

After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.

Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.

Hope this helps

View solution in original post

kamal-learn · ‎12-26-2006

hi

are you using auth-proxy or what ??

as i know for auth-proxy you cannot use another level under 15 the only allowed is

that only (permit) statement and (any) as the source, and for the level is 15

proxyacl#1=permit any

.

PRIVLVL=15 (under the argument area..)

HTH

Plese do rate if it does help

Vivek Santuka · ‎12-26-2006

Narayan,

Even if you define a privilege level less then 15 on the device and apply command authorization on that level, you will need to reduce the privilege level of the commands which you need to execute on the lower privilege level.

After reducing the privilege level of selected commands on the device, applying command authorization will be a waste.

royalblues · ‎12-26-2006

Vivek,

I am probably confused with your post.

What i want to achieve is something like this.

Say i want to restrict one group to just the following command

Sh ip int brief

sh int

ping

I dont want to assign a privilege level of 15 to this group and then restrict, what i want is to assign a privilege say 5 or 10 and then restrict

Can this be done

Narayan

Vivek Santuka · ‎12-27-2006

Narayan,

Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.

So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.

After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.

Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.

Hope this helps

royalblues · ‎12-27-2006

Thanks Vivek,

It would be a burden to configure the commands on each devices(i have about 700).

I think its better to assign priv 15 and restrict.

BTW is there any document which can show the commands and their associated privilege levels?

Narayan

harton · ‎12-30-2006

Narayan,

I am looking to do the same as you are. Please post if you have found a solution.

Thanks,

Harton

Vivek Santuka · ‎01-04-2007

Narayan,

I could find any document but you can go to level one prompt of any IOS device and check the commands available. All the rest are level 15 commands.

royalblues · ‎01-05-2007

Thanks Vivek for the answer.

Harton, i didn't find any easier way other than allowing a priv 15 access and restrict them with shell authorization.

HTH

Narayan