Kingsley, Lorenzo is seeking the way to workaround the necessity to configure privilege level commands on each router manually, but to have a list on ACS instead, AND to play with user's privileges assigned via tacacs+. Let me say that using privileges on user without local (on router) list of "privilege ... command" doesn't have much sense because the first check which IOS performs (with or without aaa configured) is "Current user privilege >= command privilege?". If yes continue, if not - it prints "% Invalid input detected at '^' marker" and stops. As most commads are priv 15 (max) by default then users with priv < 15 will not pass the check, and the only way to change that - is to lower the command privilege locally. The advent of the Role-based Access Control cancelled the notion of privilege, but still the per-role commands are stored locally on the router.
In real life, if you want a centrally administered user rights (Shell commads author set on tacacs) you would assign privilege 15 to each user, and configure "aaa authoriz commands 15..." to control which commands are permitted for each user. With that you just pass the role of arbiter to tacacs. (Of course, you must decide how to act in case of tacacs down, in that case you'd probably need some local command authoriz local set.) ====================================================== ______________________________________ Date: Fri, 5 Feb 2010 17:12:37 +0530 From: Kingsley Charles <[email protected]> Subject: Re: [OSL | CCIE_Security] Shell Command Authorization inconsistency in IOS To: "Tating, Lorenzo C. Jr." <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi Lorenz The privilege level is something that is being used by the IOS. The ACS will send the priv-level for the user and the IOS will authorize the commands based on the priv level. Priv 15 is something that can't be configured is available by default. Priv 14 is something that we should configure. If the ACS sends priv 14, then the user will have commands configured for priv 14. If you don't have "aaa authorization exec", then the IOS will expect enable password or secret with the privilege to be configured. Without enable secret or password, you will be locked in the exec mode. Instead of enable password or secret, you can configure enable secret level 14 privilege exec level 14 clear line With these two commands, you will get what you desire. But, if you need to have aaa authorization for exec without enable password or secret, then you need to configure "aa authorization exec". With this, directly placed based on the priv level. For 0 and 1, you will always placed in exec. From 2 to 15, you will be placed in priv exec mode and have command privilege based on the priv level given to you. For your case, just have priv level 14 in ACS and privilege 14 configured as following aaa authentication login vty group tacacs+ aaa authorization exec vty group tacacs+ privilege exec level 14 clear line If you still need command authorization for commands of priv 4, use the following and configure shell command authorization set. aaa new-model ! ! aaa authentication login vty group tacacs+ aaa authorization exec vty group tacacs+ aaa authorization commands 14 vty group tacacs+ line vty 0 4 exec-timeout 0 0 authorization commands 14 vty authorization exec vty login authentication vty Note : If you have priv 15 under vty, the user will get priv 15 no matter what the ACS gives With regards Kings On Fri, Feb 5, 2010 at 2:53 PM, Tating, Lorenzo C. Jr. < [email protected]> wrote: > I am trying to do Shell Command Authorization on my routers using Tacacs. > > I have one user that i place under privilege level 14. I want a level 15 > command (clear line) to be used by that user. Using the "privilege exec > level 14 clear line" works, but I need to implement it on ACS to save me > time from having to enter the command over and over again to many routers. > But I noticed that once my user logged under privilege level 14 (Tacacs > Setting, Privilege Level = 14), the Command Authorization. I cannot bring > the "clear line" command to that level. I tried using this on ASA and it > works, it just seems the router wont allow bringing a level 15 command down > to level 14, without manually configuring "privilege exec level 14 clear > line" > > ACS config: > Per Group Command Authorization > Unmatched Cisco IOS commands > (deny) > > [check] Command: > clear > > Arguments: > (none) > > Unlisted arguments: > permit > > > Any help will be appreciated. > > Sincerely, > Lorenz > > _______________________________________________ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
