Shell Commands Authorisation Set

cmacinnes · ‎04-15-2004

Hi

I wonder if you guys can help with something I'm trying out.

We are using CiscoSecure 3.2. At the moment all users with ACS accounts have full access to the routers/switches once they have authenticated. But we have a group of users who could do some simple stuff for us (I'm thinking of allowing them to change speed/duplex and vlans on fe interfaces on edge switches.) But I would rather they didn't have full access for obvious reasons!

So I have created a Shell Command Authorisation Set with a command of show and an arguement of permit version (I'm move on the more complex commands once I've mastered this one!) and denied unmatched commands. Within the group to which my test user belongs I have assigned my command set.

I don't think I've gone too far wrong here. But, what config do I need to apply to the network devices? At the moment while I am able to authenticate with my test user they have full and complete access once authenticated.

I've added this line:

aaa authorization commands 15 RepAccess <my command set> if-authenticated

Where am I going wrong? Any pointers gratefully received.

Many thanks

Carolyn

gfullage · ‎04-15-2004

You're close. "sho ver" is a level 1 command, not a level 15 (enable) command, so add the following:

aaa authorization commands 1 default tacacs

You have to do TACACS authentication cause there's no such thing as Radius command authorization.

Also, you don't reference your Command Set in the "aaa author" command on the device, it doesn't care what that name is cause it's ACS specific.

Also, what I've shown you above will enable command authorization for all users, so for users that you want to be able to do everything, add another Shell Command Authorisation Set onto the ACS server that permits everything, and apply it to the users with no restrictions.