Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
0
Helpful
5
Replies

Filtering Priv 15 commands !

Go to solution
illusion_rox
Level 1
Level 1

‎05-28-2009 11:05 PM - edited ‎03-10-2019 04:30 PM

hi all, can i filter priv 15 configuration commands using ACS 3.3 ?. Suppose i want

"interface tunnel" command to be filtered so that any of my user in priv 15 is not able to use this command !!

is this possible using acs 3.3 ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎05-29-2009 12:33 PM

Trick here is to give all user a priv 15 and then define command authorization set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

This is what you need on IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎05-29-2009 12:33 PM

Trick here is to give all user a priv 15 and then define command authorization set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

This is what you need on IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
illusion_rox
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-01-2009 12:29 AM

Dear Sir, can you tell me how to perform local authorization ? if i dont have an external server then how can use local authorization to restrict the usage of commands on per user basis ?

Kindly guide me in this

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to illusion_rox

‎06-02-2009 06:28 AM

Hi ,

Please see this link, you can change the privilege of any command.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
illusion_rox
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-02-2009 08:08 PM

Dear JG, its so good to see you. thanks a lot for looking into this. Sir i know how to change the priv of any command. kindly look into my task pls

I want to assign a user priv 4.

I want him to run ONLY AND ONLY "show interfaces", restricting ALL OTHER COMMANDs, EACH AND EVERY COMMAND should be restricted. User in priv 4 should run only "show interfaces" and for exiting "exit" command. Thats it, no other commands should be available to him.

Sir kindly tell me is this possible ? can you provide me some sample configuration to achieve this task ?

NOte: i dont want to use any external server for this task. Just local authorization.

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to illusion_rox

‎06-03-2009 07:05 AM

You need this command

privilege exec level 4 show interfaces

Then increase a priv lvl of rest of the commands with priv lvl 0 and 1

privilege level 0 - Includes the disable, enable, exit, help, and logout commands.

#

privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.

Regards,

~JG

Do rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents