allowing only specified commands

sivakondalarao · ‎01-03-2007

Hi,

We have TACACS enabled in our routers. I wanted to restrict user access to only particular commands. I am providing those commands below.

Router#term len 0

Router#sh clock

Router#sh ip int br

Router#sh env all

Router#sh int s0/0

Router#sh int s0/1

Router#ping 10.30.250.137

Router#conf t

Router(config)#int se0/0

Router(config-if)#no backup int br0/0

Router#exit

Router#isdn call int bri 0/0 22861600

Router#sh isdn a

Router#sh isdn status

Router(config)#int se0/0

Router(config-if)#backup int bri0/0

Router#sh int bri0/0

Router#sh run

Nothing more than these commands should be allowed for configuration. Can someone advice me for required configuration in Router as well as cisco ACS.

Regards

SKRAO

keithpalka · ‎01-08-2007

For the router, you will need to tell it to contact a TACACS+ server, in this case, you're using Cisco ACS. In the unfortunate event that your ACS is unreachable, ensure you have a local account created and specifiy local authentication as the second choice in your AAA configuration. For example:

aaa new-model (enables AAA)

(next three lines define tacacs+ server, and associates it with a server group named LAN)

tacacs-server host x.x.x.x

aaa group server tacacs+ LAN

server x.x.x.x

aaa authentication login default group LAN local (enables authentication with tacacs server group LAN as the first method, if that fails, then the local username database)

aaa authorization config-commands

(enables authorzation for config commands)

aaa authorization exec default group LAN

(enables author for exec level commands via server group LAN)

aaa accounting commands 15 default start-stop group LAN

(enables accounting on all commands, failed or authorized, attempted by level 15 users and sends the messages to server group LAN. See configuration guide for other accounting options)

aaa authorization commands 15 ADMIN group LAN

(enables authorization for any level 15 user and creates an authorization group ADMINto be referenced later. Specifies to check with server group LAN to recieve command authorization)

(Assuming telnet access is being used, the below commands places every authenticated user at level 15. The authorization group ADMIN is specified, so don't worry, everybody doesn't really get I AM GOD privileges on the device. You'll control that in the ACS.)

line vty 0 4

privilege level 15

authorization commands 15 ADMIN

username local priv 15 secret uptoyou

(creates a local username with privilege level 15[can do anything at any level] with an MD5 encrpyted password which can't be cracked by the usual cut and paste password crackers)

I'll post this then address the Cisco ACS. Download the configuration guide for your hardware and read the section on AAA for more detailed explanations and other AAA options.

keithpalka · ‎01-08-2007

For the ACS, this could become a very long reponse. I'll address enough to hopefully help, but I highly recommend downloading the userguide for your version of Cisco ACS from ciscos website.

A few tasks you'll need to accomplish is to define the network devices that will be allowed to query the ACS server. That is done under the NETWORK CONFIGURATION tab. In my experience, it is best to create a loopback interface on the network device, say loopback 0 IP x.x.x.x then add ip tacacs source-interface loopback 0. This will ensure a consistent source/requesting IP from the device to the ACS server.

You will also define a user group under the GROUP SETUP tab. There are multiple options you could use to control access at specific times, to which devices, from which devices, commands, etc all on a group level. You will select the permitted commands (SHARE PROFILE COMPONENTS) under the Shell Command Authorization Set. Read about the choices in the config guide to decide on your employment of the ACS.

The meat and potatoes of access control is done in the SHARED PROFILE COMPONENTS tab under Shell command authorization sets. Think of this like defining different levels of access. If you wish to allow only certain commands, then select deny unmatched commands for each command entered. The configuration guide is the best reference for defining the command syntax you want to allow. For an example, if you wanted to allow all show commands, you would enter show as the command, then select permit unmatched args to allow all matches of the show command. The tricky part here is that how the device communications with the server may differ from device to device. For example, on a 3750G switch, inputting the global configuration command int g1/0/1 will cause the switch to send the following to the server : service=shell cmd=interface Group-Async 1 GigabitEthernet 1 0 1 . Your best bet is to set up a lab with the models of routers you are using and connect them to the ACS. When you test out the commands, the ACS will generate an accounting log that will show the syntax the device is trying to use to recieve authorization. Tedious, but worth the effort to avoid causing authorization issues.

Finally, define a user under the USER SETUP tab. Tell it to use the ACS internal database unless you are sync'ing it with Windows AD and add the user to a group. Keep in mind that if you allow special access to a user, it will trump whatever the group settings are.

That should all be clear as mud now, again, labbing this out and reading through the configuration guide will make you a tacacs pro in no time.