06-04-2003 04:39 PM - edited 03-10-2019 07:20 AM
I am attempting to set up a couple of different user levels in are ACS server. Group 1 will have all privilages (15). Group 2 will have limited access to command sets (help desk folks). I was hoping I could avoid putting any "privilege exec level" commands in the router but rather control everything from the ACS server. I set up a group 2 and assigned priviliage level 7 to it. Through the "Shell Command Authorization Set" I was hoping to be able to apply the necessary commands this group could exicute but it doesn't seem to be working. The commands that I "permit" for this group do not get exicuted. Users in Group 1 (level 15) work fine. I have both the "SHELL EXEC privilage levels and the MAX PRIVILEGE enable options set to level 7 in the ACS server for group 2.
Any hints on what I'm missing. Attached is a copy of my router config.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ none
aaa authorization commands 7 default group tacacs+ local
enable password cisco
!
username admin privilege 15 password 0 cisco
!
tacacs-server host 136.237.26.10
tacacs-server timeout 10
tacacs-server key cisco
!
line con 0
line aux 0
line vty 0 4
password cisco
Authentication is working fine against our NT domain.
06-05-2003 01:41 AM
I found this an interesting challenge. Hooked a laptop to the console, copied the config in a test machine, set up AAA and checked your findings. It is working now. I think you did not alter the setting for the user under enable options. It is set to No Privilege by default. Set this to use group level settings. I also had to configure the enable password for the user in ACS.
Here is a copy of my AAA settings:
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login no_tacacs enable
aaa authentication enable default tacacs+ enable none
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 7 default tacacs+ local
aaa authorization commands 15 default tacacs+ local
aaa accounting exec default start-stop tacacs+
!
The method no_tacacs is used for the console to prevent admin-lockouts.
Doing a debug aaa authen & author was quite helpful in getting this to work.
Without specifying any commands, TACACS now refuses to enable because: -T+ enable privilege too low -.
Regards,
Leo
06-06-2003 02:35 AM
Re-reading your question I concluded that my answer was not complete. I did some additional research and now I think I know how it works with ACS.
When you check for command authorization :
aaa authorization commands 15 default tacacs+ local
you are requesting authorization for all level 15 (in this case) commands.
When you grant level 7 to a user, no commands will be checked while the users priv lvl is too low.
What I did was this: grant level 15 to the testusers group. Then, in the ACS, add the commands that are allowed for the group, the command
I also found that it makes no difference when you enter a certain level under the enable-options. It works with level 15 as priv-level under shell settings.
Hope this solves your issue.
Regards,
Leo
07-09-2003 03:49 AM
Hi,
I am a beginner with ACS and am trying the same thing. I have ACS 3.2 and am trying to create a helpdesk user which only has the following access (eg):
show running-config interface fastethernet
show mac-address-table
We have admins setup and all work no problem with priv 15.
My router config is as follows:
aaa new-model
aaa authentication login radius-login group radius local
aaa authentication enable default group radius enable none
aaa authorization console
aaa authorization exec default group radius local
In ACS I created a helpdesk user and a helpdesk group. I assigned a "shell command authorization set" to the group. This has "show" in one box (box has no title(!) ) and "permit running-config interface fastethernet" and "permit mac-address-table " in the other.
However it doesn't work.
The helpdesk either gets full control once logged in or else gets a user prompt only.
I also played around with the "cisco-av pair" field
entering this "priv-lvl=15" and "priv-lvl=7" alternatively to no avail.
Can anyone here let me know what I am doing wrong?
Many thanks indeed,
SS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: