11-17-2001 03:33 AM - edited 02-21-2020 11:30 AM
I would like to know how to restrict a user to configure only interface serial after entering to the configuration mode. The user authentication is done using a Tacacs+ server .
11-24-2001 04:10 PM
There isn't a standardized way to perform to limit all commands for one interface.
You will need to specifically permit all the desired commands. All other commands
can be implicitly denied.
The two most common ways to do this are:
1) Locally, not using tacacs. This is obviously not as scalable a solution.
However, it doesn't use up all the bandwidth requiring everyone to authenticate
to a aaa server for every command.
Using this method, you can assign the user a priv level other than 15, then
assign the allowed commands to the same priv level.
i.e. user has priv level 9
config t=priv 9
int serial=priv 9
encapsulation frame-relay=priv 9
etc.
you must explicity change each of these commands to privl 9
2) You can do the same thing using tacacs, by using command authorization.
on the router:
aaa authorization commands 15 default tacacs
This will require authorization from the tacacs server for all level 15 commands.
In your TACACS server, you will have to configure the desired commands.
How you implement it is application specific - ie tacacs freeware, CSUnix,
or CSNT.
If you are using the most common one, ACS NT, then check the IOS commands
box; check the deny all unmatch commands box, and enter the desired command.
After you submit it, it will give you another box to enter an additional command. Just
repeat the process for each additional command you want to permit.
You will find it useful to implement this using something other than the default
aaa method, to prevent locking yourself out of the router. I.E.
aaa authorization commands 15 vtymethod tacacs none
line vty 0 4
authorization commands 15 vtymethod
Establish a console session and enable debug aaa authentication
and debug aaa authorization while you're initially configuring this
so you can proactively troubleshoot while you're configuring.
HTH
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide