Task 5.2 - authorization through tacacs of telnet traffic


I am having trouble replicating this task. According to the answer book, you should create a command authorization permission in ACS to restrict the authentication to just the loopback of R4 and R5; however, this solution doesn't work. This is traffic authorization no command usage authorization. Anyone can explain this to me? Is the answer incorrect?



  • I don't have the security WB so I don't know the exact lab. However if the task says to restrict what devices we can telnet to, then yes we can do that via TACACS authorization. We can specify what parameters are allowed after the telnet command. So telnet is allowed but not etc.

    I'm not sure what would happen if we type in exec prompt, would this bypass TACACS authorization? :) I guess we would need transport preferred none under VTY then.

  • I know the answer now. I wish there was an explanation in the book. For TACACS the ASA device needs to authorize each traffic individually the command authorization set is used for authorization. For example, when the ASA wants to authorize a user Telnet session to destination, it sends the following



    Here, telnet is the command and the destination IP address is the argument. The command authorization set applied to the user should permit the command and the argument

    When ASA needs to authorize well-known protocols such as Telnet, HTTP, and so on, it sends the name of the protocol. If it has to authorize any other protocol, the request is sent as cmd=protocol/port destination address.

     If you want to restrict the match to only the given address, use the
    dollar sign ($) at the end. Otherwise, could allow also

Sign In or Register to comment.