Hi Peter I agree with you but Lorenzo was telling that the "clear line" command of priv can't be brought down to priv 14. But that's not true, priv 14 can have any commands with it. Priv 2 to 14 are custome levels and can have any commands.
Hence lorenzo should have some configuration mistake which is not getting "clear line" cmd to priv 14. With regards Kings On Fri, Feb 5, 2010 at 6:06 PM, Peter Debye <[email protected]> wrote: > Kingsley, Lorenzo is seeking the way to workaround the necessity to > configure privilege level commands > on each router manually, but to have a list on ACS instead, AND to > play with user's privileges > assigned via tacacs+. > Let me say that using privileges on user without local (on router) > list of "privilege ... command" > doesn't have much sense because the first check which IOS performs > (with or without aaa configured) > is "Current user privilege >= command privilege?". If yes continue, if > not - it prints "% Invalid input > detected at '^' marker" and stops. > As most commads are priv 15 (max) by default then users with priv < 15 > will not pass the check, > and the only way to change that - is to lower the command privilege > locally. > The advent of the Role-based Access Control cancelled the notion of > privilege, but still the > per-role commands are stored locally on the router. > > In real life, if you want a centrally administered user rights (Shell > commads author set on tacacs) > you would assign privilege 15 to each user, and configure "aaa > authoriz commands 15..." > to control which commands are permitted for each user. With that you > just pass the role > of arbiter to tacacs. (Of course, you must decide how to act in case > of tacacs down, in that case > you'd probably need some local command authoriz local set.) > > ====================================================== > > ______________________________________ > Date: Fri, 5 Feb 2010 17:12:37 +0530 > From: Kingsley Charles <[email protected]> > Subject: Re: [OSL | CCIE_Security] Shell Command Authorization > inconsistency in IOS > To: "Tating, Lorenzo C. Jr." <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Lorenz > > The privilege level is something that is being used by the IOS. The ACS > will > send the priv-level for the user and the IOS will authorize the commands > based on the priv level. Priv 15 is something that can't be configured is > available by default. Priv 14 is something that we should configure. > > If the ACS sends priv 14, then the user will have commands configured for > priv 14. > > If you don't have "aaa authorization exec", then the IOS will expect enable > password or secret with the privilege to be configured. Without enable > secret or password, you will be locked in the exec mode. Instead of enable > password or secret, you can configure > > enable secret level 14 > privilege exec level 14 clear line > > With these two commands, you will get what you desire. > > > But, if you need to have aaa authorization for exec without enable password > or secret, then you need to configure "aa authorization exec". With this, > directly placed based on the priv level. For 0 and 1, you will always > placed > in exec. From 2 to 15, you will be placed in priv exec mode and have > command > privilege based on the priv level given to you. > > > For your case, just have priv level 14 in ACS and privilege 14 configured > as > following > > aaa authentication login vty group tacacs+ > aaa authorization exec vty group tacacs+ > privilege exec level 14 clear line > > > If you still need command authorization for commands of priv 4, use the > following and configure shell command authorization set. > > > aaa new-model > ! > ! > aaa authentication login vty group tacacs+ > aaa authorization exec vty group tacacs+ > aaa authorization commands 14 vty group tacacs+ > > > line vty 0 4 > exec-timeout 0 0 > authorization commands 14 vty > authorization exec vty > login authentication vty > > > > Note : If you have priv 15 under vty, the user will get priv 15 no matter > what the ACS gives > > > > With regards > Kings > > On Fri, Feb 5, 2010 at 2:53 PM, Tating, Lorenzo C. Jr. < > [email protected]> wrote: > > > I am trying to do Shell Command Authorization on my routers using > Tacacs. > > > > I have one user that i place under privilege level 14. I want a level 15 > > command (clear line) to be used by that user. Using the "privilege exec > > level 14 clear line" works, but I need to implement it on ACS to save me > > time from having to enter the command over and over again to many > routers. > > But I noticed that once my user logged under privilege level 14 (Tacacs > > Setting, Privilege Level = 14), the Command Authorization. I cannot bring > > the "clear line" command to that level. I tried using this on ASA and it > > works, it just seems the router wont allow bringing a level 15 command > down > > to level 14, without manually configuring "privilege exec level 14 clear > > line" > > > > ACS config: > > Per Group Command Authorization > > Unmatched Cisco IOS commands > > (deny) > > > > [check] Command: > > clear > > > > Arguments: > > (none) > > > > Unlisted arguments: > > permit > > > > > > Any help will be appreciated. > > > > Sincerely, > > Lorenz > > > > _______________________________________________ >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
