Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Read-only aaa statements

I've setup the TACACS server with two groups

-FULL admin rights

-READ only rights

Two users have been created

-admin_test

-read_test

The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

4 REPLIES

Re: Read-only aaa statements

Hi,

Use this document to know more about privilidge levels and how to configure them:

http://www.cisco.com/warp/public/480/PRIV.html

You need to define the actual Privilidge levels what's allowed and what's not

See the doc

If you find this post usefull

please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#########################################

New Member

Re: Read-only aaa statements

Privilege is not scalable in a big environment.

What you need is authorization on the ACS

server. In Cisco Freeware TACACS+ I defined

the following groups: readonly, advanced and

admin:

group = readonly {

default service = deny

cmd = show { deny .* }

cmd = show { permit .* }

cmd = copy { permit .* }

cmd = ping { permit .* }

cmd = enable { permit .* }

cmd = configure { deny .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = debug { permit .* }

}

group = advanced {

default service = deny

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

cmd = interface { permit .* }

}

group = admin {

default service = permit

}

As you can see, admin can access everything,

readonly can only read. Advanced can make

limited changes and admin can do everything.

On the Cisco router, I have the following

configuration:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

I find that by doing it this way, it is much

more scalable than using privilege commands

on the router itself.

David

CCIE Security

Cisco Employee

Re: Read-only aaa statements

Hi Echelo360,

The aaa config that you pasted does not have command authorization.

You need the 3 authorization commands from david's post.

Regards,

Vivek

New Member

Re: Read-only aaa statements

Great help given here guys...thanks!

141
Views
0
Helpful
4
Replies
CreatePlease to create content