01-03-2007 08:09 PM - edited 03-03-2019 03:14 PM
Hi,
We have TACACS enabled in our routers. I wanted to restrict user access to only particular commands. I am providing those commands below.
Router#term len 0
Router#sh clock
Router#sh ip int br
Router#sh env all
Router#sh int s0/0
Router#sh int s0/1
Router#ping 10.30.250.137
Router#conf t
Router(config)#int se0/0
Router(config-if)#no backup int br0/0
Router#exit
Router#isdn call int bri 0/0 22861600
Router#sh isdn a
Router#sh isdn status
Router(config)#int se0/0
Router(config-if)#backup int bri0/0
Router#sh int bri0/0
Router#sh run
Nothing more than these commands should be allowed for configuration. Can someone advice me for required configuration in Router as well as cisco ACS.
Regards
SKRAO
01-08-2007 02:21 PM
For the router, you will need to tell it to contact a TACACS+ server, in this case, you're using Cisco ACS. In the unfortunate event that your ACS is unreachable, ensure you have a local account created and specifiy local authentication as the second choice in your AAA configuration. For example:
aaa new-model (enables AAA)
(next three lines define tacacs+ server, and associates it with a server group named LAN)
tacacs-server host x.x.x.x
aaa group server tacacs+ LAN
server x.x.x.x
aaa authentication login default group LAN local (enables authentication with tacacs server group LAN as the first method, if that fails, then the local username database)
aaa authorization config-commands
(enables authorzation for config commands)
aaa authorization exec default group LAN
(enables author for exec level commands via server group LAN)
aaa accounting commands 15 default start-stop group LAN
(enables accounting on all commands, failed or authorized, attempted by level 15 users and sends the messages to server group LAN. See configuration guide for other accounting options)
aaa authorization commands 15 ADMIN group LAN
(enables authorization for any level 15 user and creates an authorization group ADMINto be referenced later. Specifies to check with server group LAN to recieve command authorization)
(Assuming telnet access is being used, the below commands places every authenticated user at level 15. The authorization group ADMIN is specified, so don't worry, everybody doesn't really get I AM GOD privileges on the device. You'll control that in the ACS.)
line vty 0 4
privilege level 15
authorization commands 15 ADMIN
username local priv 15 secret uptoyou
(creates a local username with privilege level 15[can do anything at any level] with an MD5 encrpyted password which can't be cracked by the usual cut and paste password crackers)
I'll post this then address the Cisco ACS. Download the configuration guide for your hardware and read the section on AAA for more detailed explanations and other AAA options.
01-08-2007 02:42 PM
For the ACS, this could become a very long reponse. I'll address enough to hopefully help, but I highly recommend downloading the userguide for your version of Cisco ACS from ciscos website.
A few tasks you'll need to accomplish is to define the network devices that will be allowed to query the ACS server. That is done under the NETWORK CONFIGURATION tab. In my experience, it is best to create a loopback interface on the network device, say loopback 0 IP x.x.x.x then add ip tacacs source-interface loopback 0. This will ensure a consistent source/requesting IP from the device to the ACS server.
You will also define a user group under the GROUP SETUP tab. There are multiple options you could use to control access at specific times, to which devices, from which devices, commands, etc all on a group level. You will select the permitted commands (SHARE PROFILE COMPONENTS) under the Shell Command Authorization Set. Read about the choices in the config guide to decide on your employment of the ACS.
The meat and potatoes of access control is done in the SHARED PROFILE COMPONENTS tab under Shell command authorization sets. Think of this like defining different levels of access. If you wish to allow only certain commands, then select deny unmatched commands for each command entered. The configuration guide is the best reference for defining the command syntax you want to allow. For an example, if you wanted to allow all show commands, you would enter show as the command, then select permit unmatched args to allow all matches of the show command. The tricky part here is that how the device communications with the server may differ from device to device. For example, on a 3750G switch, inputting the global configuration command int g1/0/1 will cause the switch to send the following to the server : service=shell cmd=interface Group-Async 1 GigabitEthernet 1 0 1
Finally, define a user under the USER SETUP tab. Tell it to use the ACS internal database unless you are sync'ing it with Windows AD and add the user to a group. Keep in mind that if you allow special access to a user, it will trump whatever the group settings are.
That should all be clear as mud now, again, labbing this out and reading through the configuration guide will make you a tacacs pro in no time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide