Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

user restrictions via tac+

hi @all,

i'm trying to restrict a user with tacacs+. the relevant router & tac.-config are as following:

ios:

aaa new-model

!

!

aaa authentication login console group tacacs+ local enable

aaa authentication login vty group tacacs+ local enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 0 en0 group tacacs+

aaa authorization commands 5 RESTRICT group tacacs+

!

aaa session-id common

!

line con 0

exec-timeout 0 0

logging synchronous

login authentication console

line aux 0

line vty 0 903

authorization commands 0 en0

authorization commands 5 RESTRICT

logging synchronous

login authentication vty

transport input ssh

tacacs:

user = guck {

login = cleartext guck

service = shell { priv_level = 5 }

cmd = enable { deny .* }

cmd = show { permit ver deny .* }

cmd = traceroute { permit .* }

cmd = exit { permit .* }

}

it's partially working, so i can't execute the enable command, but i can do a lot more than "show ver" as intended, and more than traceroute and exit. i can execute ping as well and various other commands. now i'd like to know if it's possible at all to restrict a user to the above mentioned commands in conjunction with tacacs, or doesn't this work that way?

tia

br

erik

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions

Re: user restrictions via tac+

I think the reason that you are able to use ping command is, because "ping" command level is not being authorized.

i.e. by default on IOS device we have three level, namely 0, 1 and 15.

At level zero you have command: disable, enable, exit, help, and logout

I think ping command is either at level 1 or 15, given you have not changed the level of command.

So I would suggest following,

aaa authorization commands 0 AUTHO-VTY group tacacs+

aaa authorization commands 1 AUTHO-VTY group tacacs+

aaa authorization commands 15 AUTHO-VTY group tacacs+

line vty 0 903

no authorization commands 0 en0

no authorization commands 5 RESTRICT

authorization commands 0 AUTHO-VTY

authorization commands 1 AUTHO-VTY

authorization commands 15 AUTHO-VTY

And then configure permitted or denied commands accordingly on Tacacs server user profile.

Regards,

Prem

2 REPLIES

Re: user restrictions via tac+

I think the reason that you are able to use ping command is, because "ping" command level is not being authorized.

i.e. by default on IOS device we have three level, namely 0, 1 and 15.

At level zero you have command: disable, enable, exit, help, and logout

I think ping command is either at level 1 or 15, given you have not changed the level of command.

So I would suggest following,

aaa authorization commands 0 AUTHO-VTY group tacacs+

aaa authorization commands 1 AUTHO-VTY group tacacs+

aaa authorization commands 15 AUTHO-VTY group tacacs+

line vty 0 903

no authorization commands 0 en0

no authorization commands 5 RESTRICT

authorization commands 0 AUTHO-VTY

authorization commands 1 AUTHO-VTY

authorization commands 15 AUTHO-VTY

And then configure permitted or denied commands accordingly on Tacacs server user profile.

Regards,

Prem

New Member

Re: user restrictions via tac+

hi Prem,

thank you very much for your help! you hit the bull's-eye!!!!

br

erik

106
Views
10
Helpful
2
Replies