Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS+ and authorization "conf-t" commands (IOS)

Hi

Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?

Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.

For example tac_plus.conf:

I need something like this (fictional syntax):

    service = configure {

       cmd = interface { permit FastEthernet .* }

       cmd = switchport { deny access .* }

    }

it's already works well:

    service = exec {

       priv-lvl = 3

    }

    cmd = ping { permit .* }

    cmd = wrire { deny memory }

Thank you for any ideas.

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re:TACACS+ and authorization "conf-t" commands (IOS)

Hi Oleg ,

The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"

Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .


Sent from Cisco Technical Support Android App

New Member

TACACS+ and authorization "conf-t" commands (IOS)

Hi Oleg,

here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command

"acs#aaa authorization config-commands"

now after giving you can give any global configuration commands like

"acs(config)#interface FastEthernet "

either you permit or deny.this command gets  authorizes with tacacs+ server.

-thanks,

Rajiv

4 REPLIES
Cisco Employee

Re:TACACS+ and authorization "conf-t" commands (IOS)

Hi Oleg ,

The very first thing you need to do is to make sure an authorization packet is sent to Tacacs Server for commands at config terminal mode .For this we need command on IOS .
"aaa authorization config-commands"

Now rest of the work has to be done on Tacacs-Server defining each command with specific arguments as you mentioned .


Sent from Cisco Technical Support Android App

New Member

Re:TACACS+ and authorization "conf-t" commands (IOS)

It's work. Thank you, Tushar.

New Member

TACACS+ and authorization "conf-t" commands (IOS)

Hi Oleg,

here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command

"acs#aaa authorization config-commands"

now after giving you can give any global configuration commands like

"acs(config)#interface FastEthernet "

either you permit or deny.this command gets  authorizes with tacacs+ server.

-thanks,

Rajiv

New Member

Re:TACACS+ and authorization "conf-t" commands (IOS)

Rajiv, thank you for help too.

1037
Views
0
Helpful
4
Replies
CreatePlease login to create content