Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Specific rights to a Switch

Hi,

we are having TACACS+ authentication with a Cisco ACS v3.3, and we are now trying to built some user's with specic rights. For example

- Assign ports to VLAN

- Change the description of a port

How can I set-it-up? do I need to define anything on switch side or is all in Cisco ACS?

Jorge

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Specific rights to a Switch

Hi,

This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:

IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Set Based -

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |

telnet | both]

B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

C. Define user/group level command authorization

**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.

1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).

Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.

7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.

Regards,

~JG

Re: Specific rights to a Switch

jagdeep has given a wonderful explanation of the process.

you can also go through the attached doc which gives you some examples as well

HTH

Narayan

Re: Specific rights to a Switch

Jorge,

Concept remains same for config t aswell. I have attached the screen shot of authorization set.

I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.

In this way you can set it up as per your need.

Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).

All the best !

Regards,

~JG

6 REPLIES
Hall of Fame Super Bronze

Re: Specific rights to a Switch

Bronze

Re: Specific rights to a Switch

Hi,

You can also use shell authorization command set to define the particular commands that a user/user group can execute for a particular Device/ Network Device Group (if defined).

You must have received the documentation CDs with ACS package which is sufficient to explain the configuration part.

HTH

rgds

Re: Specific rights to a Switch

Hi,

This is how you do it. Employ Authentication, Authorization, and Command Authorization on an IOS or set based device:

IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Set Based -

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |

telnet | both]

B. Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

C. Define user/group level command authorization

**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.

1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).

Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.

7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command

authorization set section will appear so you can repeat the process above with a new

command if necessary.

Regards,

~JG

Re: Specific rights to a Switch

jagdeep has given a wonderful explanation of the process.

you can also go through the attached doc which gives you some examples as well

HTH

Narayan

New Member

Re: Specific rights to a Switch

This has been a great explanation!!! Thanks.

But what about if I want to allow only some configurations in Configure Terminal mode?

Like :

Configure Terminal

Interface fastherthernet0/10

switchport access vlan 2000

Thanks

Jorge

Re: Specific rights to a Switch

Jorge,

Concept remains same for config t aswell. I have attached the screen shot of authorization set.

I have allowed access only to interface fastethernet 0/10 and in that interface, only allowed vlan is 1. So no one can make that port a part of other vlan or trunk port...etc.

In this way you can set it up as per your need.

Please take care of syntax, acs does not understand slash / , so you need to use fastethernet 0 10 (without slash).

All the best !

Regards,

~JG

116
Views
0
Helpful
6
Replies