Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

permiting/denying commands via ACS

I am attempting to set up a couple of different user levels in are ACS server. Group 1 will have all privilages (15). Group 2 will have limited access to command sets (help desk folks). I was hoping I could avoid putting any "privilege exec level" commands in the router but rather control everything from the ACS server. I set up a group 2 and assigned priviliage level 7 to it. Through the "Shell Command Authorization Set" I was hoping to be able to apply the necessary commands this group could exicute but it doesn't seem to be working. The commands that I "permit" for this group do not get exicuted. Users in Group 1 (level 15) work fine. I have both the "SHELL EXEC privilage levels and the MAX PRIVILEGE enable options set to level 7 in the ACS server for group 2.

Any hints on what I'm missing. Attached is a copy of my router config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable none

aaa authorization exec default group tacacs+ none

aaa authorization commands 7 default group tacacs+ local

enable password cisco

!

username admin privilege 15 password 0 cisco

!

tacacs-server host 136.237.26.10

tacacs-server timeout 10

tacacs-server key cisco

!

line con 0

line aux 0

line vty 0 4

password cisco

Authentication is working fine against our NT domain.

3 REPLIES

Re: permiting/denying commands via ACS

I found this an interesting challenge. Hooked a laptop to the console, copied the config in a test machine, set up AAA and checked your findings. It is working now. I think you did not alter the setting for the user under enable options. It is set to No Privilege by default. Set this to use group level settings. I also had to configure the enable password for the user in ACS.

Here is a copy of my AAA settings:

!

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+

!

The method no_tacacs is used for the console to prevent admin-lockouts.

Doing a debug aaa authen & author was quite helpful in getting this to work.

Without specifying any commands, TACACS now refuses to enable because: -T+ enable privilege too low -.

Regards,

Leo

Re: permiting/denying commands via ACS

Re-reading your question I concluded that my answer was not complete. I did some additional research and now I think I know how it works with ACS.

When you check for command authorization :

aaa authorization commands 15 default tacacs+ local

you are requesting authorization for all level 15 (in this case) commands.

When you grant level 7 to a user, no commands will be checked while the users priv lvl is too low.

What I did was this: grant level 15 to the testusers group. Then, in the ACS, add the commands that are allowed for the group, the command for example. While all enable-mode commands are level 15 by default, they are all checked. Level 1-commands are allowed also as they are not checked bij the ACS.

I also found that it makes no difference when you enter a certain level under the enable-options. It works with level 15 as priv-level under shell settings.

Hope this solves your issue.

Regards,

Leo

Community Member

Re: permiting/denying commands via ACS

Hi,

I am a beginner with ACS and am trying the same thing. I have ACS 3.2 and am trying to create a helpdesk user which only has the following access (eg):

show running-config interface fastethernet

show mac-address-table

We have admins setup and all work no problem with priv 15.

My router config is as follows:

aaa new-model

aaa authentication login radius-login group radius local

aaa authentication enable default group radius enable none

aaa authorization console

aaa authorization exec default group radius local

In ACS I created a helpdesk user and a helpdesk group. I assigned a "shell command authorization set" to the group. This has "show" in one box (box has no title(!) ) and "permit running-config interface fastethernet" and "permit mac-address-table " in the other.

However it doesn't work.

The helpdesk either gets full control once logged in or else gets a user prompt only.

I also played around with the "cisco-av pair" field

entering this "priv-lvl=15" and "priv-lvl=7" alternatively to no avail.

Can anyone here let me know what I am doing wrong?

Many thanks indeed,

SS

242
Views
0
Helpful
3
Replies
CreatePlease to create content