IOS command authorization using ACS (4.1)

Hi,


I want to achieve follwoing scenario using command authorization using ACS on router:


"NOC"
user having privilege level 7 can only be allowed to configure
interface loopback 1 with ip address within the range of 172.16.0.0
255.255.0.0


Router configuration is as follows:


aaa new-model

aaa authentication login VTY group tacacs+ local

aaa authorization config-commands

aaa authorization exec VTY group tacacs+ local

aaa authorization commands 7 VTY group tacacs+ local

!

line vty 0 4

 authorization commands 7 VTY

 authorization exec VTY

 login authentication VTY

 transport input telnet ssh



I have added
router ( Version 12.4(24)T2)  as AAA client into ACS (4.1).Created NOC
user with privilege level 7 and follwoing shell command authorization
set


command = configure

arguments: permit terminal


command = interface

argument : permit Loopback 1


command = ip

argument : permit address  (tried with permit address 172.1..*  255.255..*)


Issue is: NOC user is able to enter follwoing commands:

configure terminal

interface loopback 1


But not able to enter "ip address" command.


What can be issue in this configuration?


Regards,

DMG




 

Comments

  • DMG,

     

    Did you define the:

     

    privilege interface level 7 ip address
    privilege interface level 7 ip
    privilege interface level 7 no ip address
    privilege interface level 7 no ip
    privilege interface level 7 no

     

    Commands in the router? or the view the user uses contains similar commands?

    Remember that, the commands must exist forst locally in the router and then they are authorized on the server (ACS).

     

    Thanks.

     

    Adrian

  • Hi Adrian,

    Thanks for information.

    I did the same. I was unaware of the fact that commands first has to be make available at that particular level and after that router sends them to ACS.


    On Wed, Mar 31, 2010 at 1:10 AM, adrian <[email protected]> wrote:

    DMG,

     

    Did you define the:

     

    privilege interface level 7 ip address
    privilege interface level 7 ip
    privilege interface level 7 no ip address
    privilege interface level 7 no ip
    privilege interface level 7 no

     

    Commands in the router? or the view the user uses contains similar commands?

    Remember that, the commands must exist forst locally in the router and then they are authorized on the server (ACS).

     

    Thanks.

     

    Adrian




    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Hi Adrian,

    Thanks for information.

    I did the same. I was
    unaware of the fact that commands first has to be make available at
    that particular level and after that router sends them to ACS.

    On Wed, Mar 31, 2010 at 9:25 AM, Dnyaneshwar Gore <[email protected]> wrote:
    Hi Adrian,

    Thanks for information.

    I did the same. I was unaware of the fact that commands first has to be make available at that particular level and after that router sends them to ACS.




    On Wed, Mar 31, 2010 at 1:10 AM, adrian <[email protected]> wrote:

    DMG,

     

    Did you define the:

     

    privilege interface level 7 ip address
    privilege interface level 7 ip
    privilege interface level 7 no ip address
    privilege interface level 7 no ip
    privilege interface level 7 no

     

    Commands in the router? or the view the user uses contains similar commands?

    Remember that, the commands must exist forst locally in the router and then they are authorized on the server (ACS).

     

    Thanks.

     

    Adrian




    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx



  • Hello all!

    Having in mind the fact that one must add "privilege ...." commands on the router, I feel this poses a scalability issue. This has to be done on *every* router. Is there a solution that does not require walking from router to router for adding/changing configs?

    Regs,

    spop

     

  • I don't think, you have an option to configure downloadable privilege level from ACS.

    Instead, you can give the user privilege 15 and then restrict the command authorization. This is scalable but the only thing is that the user can see the complete running config. Any way, we can restrict "sh run" too.

    aaa authorization commands 15

    aaa authorization config-commands

     

    With regards

    Kings

  • spop, I was just thinking the same thing.

    If I understand the solution well, then it means that for command authorization using ACS, the same authorization commands have to exist on the router as well as in ACS for this to work ?

    I havent tested this yet, but I was getting the same error results as described in the first port in this thread.

    Wendal

    Hello all!

    Having in mind the fact that one must add "privilege ...." commands on the router, I feel this poses a scalability issue. This has to be done on *every* router. Is there a solution that does not require walking from router to router for adding/changing configs?

    Regs,

    spop

     

     

  • Hi wendal!

    I don't think this is the case. You set up an array of commands that user is allowed to execute and place them in certain privilege level (say 5). Like this:

    privilege exec level 5 command 1

    privilege configure level 5 command2

    privilege interface level 5 command3

    ....

     

    Now you set up ACS to place an user in privilege level 5 and he/she can only execute commands that you have just "demoted" to level 5. But the issue arises when you have dozens of routers. You only need to set up ACS once, but you need to set up each and every router with commands listed above.

    Now imagine you need to add/remove some commands. Again, you need to "walk" dozens of routers in order to do the requirement. One should say to use some (expensive!!) management tool, like Security Manager, but let's stick to the command line as long as we can ;)

     

    Regs,

    spop

     

Sign In or Register to comment.