Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to enable "Shell Command Authorization Sets"

Hi there

I use aaa over tacacs to verfiy user from ms active directory.

I configured a new "Shell Command Authorization Set" see the attachment for details.

But this does not work. So I just want to test whether the use of a command is working or not.

You can see in the attached file I tried something with "show" command.

But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.

Why does this not work?

Thanx for help

bb

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to enable "Shell Command Authorization Sets"

BB,

Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

Pls rate if that helps

Regards,

~JG

15 REPLIES

Re: How to enable "Shell Command Authorization Sets"

Hi BB,

This is what you need on IOS device,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

On acs bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Rest all seems to be ok.

~JG

Please rate if that helps

New Member

Re: How to enable "Shell Command Authorization Sets"

@ jgambhir

Thanx for answer :-)

Your response is working.

But I want to gonfigure it different than you. You did "aaa authorization commands 15" I will do it with "aaa authorization commands 5".

For example:

aaa authorization commands 5 default group tacacs+ if-authenticated

aaa authorization config-commands

In the ACS I want to configure that the users from the group (TACACS+ Settings -> Privilege level = 5)

are able to execute the command "configure terminal" or "show running-config" and so far...

How do I configure this???

Thanx for help

bb

Re: How to enable "Shell Command Authorization Sets"

BB,

Not sure why you want to do this way. Trick here is to give all user a priv 15 and then define command autho set as per your need.

Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.

Pls rate if that helps

Regards,

~JG

New Member

Re: How to enable "Shell Command Authorization Sets"

Hi

I have this same problem, trying to allocate a list of commands that i want junior techs to be able to execute. I have given them all level 7 privilege and listed commands on ACS Shell Exec settings but it does not work.

I want to avoid having to enter:

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal

etc etc on 300 switches.

any idea how to do this?

Re: How to enable "Shell Command Authorization Sets"

Ray,

First of all you don't need these commands with acs, so take off these commands,

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal

Configure acs and aaa client as described above in this thread.

Let me know how that goes.

Regards,

Pls rate helpful posts

New Member

Re: How to enable "Shell Command Authorization Sets"

@ jgambhir

You wrote me to set each acs group with privilege level 15 and then add command set.

This work for me now. But how can I hide some output for helpsek users such as "aaa configs" and other stuff when they run the command "sh run"???

Does it give a possibility to configure such things???

Thanx for help :-)

bb

Re: How to enable "Shell Command Authorization Sets"

Yes, use command sets to deny access to some commands, or grant access if you so not want to give access to the majority of the commands. When you execute show running-config the users will only see what they are able to configure, so if you don't want them to see aaa commands, simply deny those commands in the command set.

New Member

Re: How to enable "Shell Command Authorization Sets"

@ mattiaseriksson

You say this very easy but if I deny for example "aaa" then I still able to see under "show ?" the aaa opportiunity and I also can run "show aaa servers" command.

I probably don't know how to do the deny rule???

But the permit thing works...???

Quite confusing

bb

Re: How to enable "Shell Command Authorization Sets"

You can deny 'show aaa servers' and other commands like this:

Command: show

Argument: deny aaa *

Unlisted arguments: permit

Unmathced Cisco IOS commands: permit

Re: How to enable "Shell Command Authorization Sets"

BB,

Actually using command authorization you can permit or deny any command but there is no way to control the output displayed for a specific command.

eg : When you allow show run, user will get full output instead of limited output.

This feature is availble if you do local authorization on the router/switch.

Hope that helps !

Regards,

~JG

New Member

Re: How to enable "Shell Command Authorization Sets"

Hi,

Sorry about the delay, i've been out for a few days...

This sort of works for me now. But it only allows any user to do anything if they are explicitly allocated a command auth set in ACS. so my main admin like myself cannot use ANY commands unless we are given a command set to use.

is there a way around this with certain

aaa new-model commands? i currently use:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Re: How to enable "Shell Command Authorization Sets"

The normal case is that you would have an admin group with an associated command set that has default command permit, and all other groups have limited command sets. So yes, you have to assign a command set if you use command authorization.

The other way to do it would be to define privilege levels, but then you would have to configure this on all of the devices.

New Member

Re: How to enable "Shell Command Authorization Sets"

OK, thanks Matthias. i think it all works ok now.

Will this also work for console access or any situations where it loses conact with the Tacacs server?

thanks again.

Ray

Re: How to enable "Shell Command Authorization Sets"

Yes, the "default" method you use apply to the console line as well, if you have not overruled that in the config.

And if the tacacs server is unavailable it will use the local database for authentication and autorize everything by default (if-authenticated).

Re: How to enable "Shell Command Authorization Sets"

Hi Ray,

Other way around is to make one more command authorization set with radio button set to PERMIT.

Bind it with Admin group in ACS , now all admin user should be able to execute all commands.

Kindly rate helpful posts.

Regards,

~JG

541
Views
5
Helpful
15
Replies
CreatePlease login to create content