03-01-2007 09:47 PM - edited 03-10-2019 03:01 PM
I've setup the TACACS server with two groups
-FULL admin rights
-READ only rights
Two users have been created
-admin_test
-read_test
The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
aaa authentication login default group tacacs+ line enable
aaa authentication enable default group tacacs+ enable line
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
03-02-2007 01:33 AM
Hi,
Use this document to know more about privilidge levels and how to configure them:
http://www.cisco.com/warp/public/480/PRIV.html
You need to define the actual Privilidge levels what's allowed and what's not
See the doc
If you find this post usefull
please don't forget to rate this
#########################################
#Iwan Hoogendoorn
#########################################
03-02-2007 04:45 AM
Privilege is not scalable in a big environment.
What you need is authorization on the ACS
server. In Cisco Freeware TACACS+ I defined
the following groups: readonly, advanced and
admin:
group = readonly {
default service = deny
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = enable { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
}
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = interface { permit .* }
}
group = admin {
default service = permit
}
As you can see, admin can access everything,
readonly can only read. Advanced can make
limited changes and admin can do everything.
On the Cisco router, I have the following
configuration:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
I find that by doing it this way, it is much
more scalable than using privilege commands
on the router itself.
David
CCIE Security
03-03-2007 07:23 AM
Hi Echelo360,
The aaa config that you pasted does not have command authorization.
You need the 3 authorization commands from david's post.
Regards,
Vivek
03-04-2007 08:47 PM
Great help given here guys...thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide