cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1577
Views
0
Helpful
3
Replies

permiting/denying commands via ACS

jrhofman
Level 1
Level 1

I am attempting to set up a couple of different user levels in are ACS server. Group 1 will have all privilages (15). Group 2 will have limited access to command sets (help desk folks). I was hoping I could avoid putting any "privilege exec level" commands in the router but rather control everything from the ACS server. I set up a group 2 and assigned priviliage level 7 to it. Through the "Shell Command Authorization Set" I was hoping to be able to apply the necessary commands this group could exicute but it doesn't seem to be working. The commands that I "permit" for this group do not get exicuted. Users in Group 1 (level 15) work fine. I have both the "SHELL EXEC privilage levels and the MAX PRIVILEGE enable options set to level 7 in the ACS server for group 2.

Any hints on what I'm missing. Attached is a copy of my router config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable none

aaa authorization exec default group tacacs+ none

aaa authorization commands 7 default group tacacs+ local

enable password cisco

!

username admin privilege 15 password 0 cisco

!

tacacs-server host 136.237.26.10

tacacs-server timeout 10

tacacs-server key cisco

!

line con 0

line aux 0

line vty 0 4

password cisco

Authentication is working fine against our NT domain.

3 Replies 3

lgijssel
Level 9
Level 9

I found this an interesting challenge. Hooked a laptop to the console, copied the config in a test machine, set up AAA and checked your findings. It is working now. I think you did not alter the setting for the user under enable options. It is set to No Privilege by default. Set this to use group level settings. I also had to configure the enable password for the user in ACS.

Here is a copy of my AAA settings:

!

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+

!

The method no_tacacs is used for the console to prevent admin-lockouts.

Doing a debug aaa authen & author was quite helpful in getting this to work.

Without specifying any commands, TACACS now refuses to enable because: -T+ enable privilege too low -.

Regards,

Leo

lgijssel
Level 9
Level 9

Re-reading your question I concluded that my answer was not complete. I did some additional research and now I think I know how it works with ACS.

When you check for command authorization :

aaa authorization commands 15 default tacacs+ local

you are requesting authorization for all level 15 (in this case) commands.

When you grant level 7 to a user, no commands will be checked while the users priv lvl is too low.

What I did was this: grant level 15 to the testusers group. Then, in the ACS, add the commands that are allowed for the group, the command for example. While all enable-mode commands are level 15 by default, they are all checked. Level 1-commands are allowed also as they are not checked bij the ACS.

I also found that it makes no difference when you enter a certain level under the enable-options. It works with level 15 as priv-level under shell settings.

Hope this solves your issue.

Regards,

Leo

Hi,

I am a beginner with ACS and am trying the same thing. I have ACS 3.2 and am trying to create a helpdesk user which only has the following access (eg):

show running-config interface fastethernet

show mac-address-table

We have admins setup and all work no problem with priv 15.

My router config is as follows:

aaa new-model

aaa authentication login radius-login group radius local

aaa authentication enable default group radius enable none

aaa authorization console

aaa authorization exec default group radius local

In ACS I created a helpdesk user and a helpdesk group. I assigned a "shell command authorization set" to the group. This has "show" in one box (box has no title(!) ) and "permit running-config interface fastethernet" and "permit mac-address-table " in the other.

However it doesn't work.

The helpdesk either gets full control once logged in or else gets a user prompt only.

I also played around with the "cisco-av pair" field

entering this "priv-lvl=15" and "priv-lvl=7" alternatively to no avail.

Can anyone here let me know what I am doing wrong?

Many thanks indeed,

SS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: