I am attempting to set up a couple of different user levels in are ACS server. Group 1 will have all privilages (15). Group 2 will have limited access to command sets (help desk folks). I was hoping I could avoid putting any "privilege exec level" commands in the router but rather control everything from the ACS server. I set up a group 2 and assigned priviliage level 7 to it. Through the "Shell Command Authorization Set" I was hoping to be able to apply the necessary commands this group could exicute but it doesn't seem to be working. The commands that I "permit" for this group do not get exicuted. Users in Group 1 (level 15) work fine. I have both the "SHELL EXEC privilage levels and the MAX PRIVILEGE enable options set to level 7 in the ACS server for group 2.
Any hints on what I'm missing. Attached is a copy of my router config.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ none
aaa authorization commands 7 default group tacacs+ local
enable password cisco
username admin privilege 15 password 0 cisco
tacacs-server host 184.108.40.206
tacacs-server timeout 10
tacacs-server key cisco
line con 0
line aux 0
line vty 0 4
Authentication is working fine against our NT domain.
I found this an interesting challenge. Hooked a laptop to the console, copied the config in a test machine, set up AAA and checked your findings. It is working now. I think you did not alter the setting for the user under enable options. It is set to No Privilege by default. Set this to use group level settings. I also had to configure the enable password for the user in ACS.
Re-reading your question I concluded that my answer was not complete. I did some additional research and now I think I know how it works with ACS.
When you check for command authorization :
aaa authorization commands 15 default tacacs+ local
you are requesting authorization for all level 15 (in this case) commands.
When you grant level 7 to a user, no commands will be checked while the users priv lvl is too low.
What I did was this: grant level 15 to the testusers group. Then, in the ACS, add the commands that are allowed for the group, the command for example. While all enable-mode commands are level 15 by default, they are all checked. Level 1-commands are allowed also as they are not checked bij the ACS.
I also found that it makes no difference when you enter a certain level under the enable-options. It works with level 15 as priv-level under shell settings.
I am a beginner with ACS and am trying the same thing. I have ACS 3.2 and am trying to create a helpdesk user which only has the following access (eg):
show running-config interface fastethernet
We have admins setup and all work no problem with priv 15.
My router config is as follows:
aaa authentication login radius-login group radius local
aaa authentication enable default group radius enable none
aaa authorization console
aaa authorization exec default group radius local
In ACS I created a helpdesk user and a helpdesk group. I assigned a "shell command authorization set" to the group. This has "show" in one box (box has no title(!) ) and "permit running-config interface fastethernet" and "permit mac-address-table " in the other.
However it doesn't work.
The helpdesk either gets full control once logged in or else gets a user prompt only.
I also played around with the "cisco-av pair" field
entering this "priv-lvl=15" and "priv-lvl=7" alternatively to no avail.
Can anyone here let me know what I am doing wrong?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...