The command hostname is being denied on the tacacs? This looks fine:
privilege configure level 10 hostname privilege exec level 10 configure terminal privilege exec level 10 configure privilege exec level 10 show running-config privilege exec level 10 show Just add aaa authorization config-commands and deny it on the tacacs. Mike From: [email protected] To: [email protected]; [email protected] Date: Sun, 8 Jul 2012 18:03:17 +0000 Subject: Re: [OSL | CCIE_Security] Commands authorization Sorry for coming back to the same topic again. Now I have a question if I can do a mix of the below said authorizations, namely having certain commands available at a particular level, e.g. 10 and authorizing commands with a shell command set on a TACACS server. It looks like the command set from TACACS is not pushed to the user. I moved few commands to privilege level 10: privilege configure level 10 hostname privilege exec level 10 configure terminal privilege exec level 10 configure privilege exec level 10 show running-config privilege exec level 10 show And I want to deny the user the ability to change the hostname. So my shell command authorization set looks like this: Cmd = “configure” , Args = “permit terminal” Cmd = “show” , Args = “permit running-config” With all this I expect the user is allowed to run show commands and see the hostname in the config but deny him from changing the hostname because it’s not listed in the commands set but it doesn’t work this way. Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Eugene Pefti Sent: Friday, July 06, 2012 8:48 PM To: waleed '; CCIE Security Subject: Re: [OSL | CCIE_Security] Commands authorization Thanks, pal. Yeah... I realize it now. Just to recap. I did commands authorization two ways. First was assigning a user priv 15 level via TACACS and assigning him a certain commands set. The attempt to run the unassigned command ended up in “Command authorization failed” Second was assigning a user priv X level (let’s say 7) via TACACS and assign exec and configure commands locally on the router with “privilege exec ...” and “privilege configure ...”. The attempt to run the command that doesn’t exist in level 7 ended up with the “Invalid input detected at ^ marker” Eugene From: waleed ' [mailto:[email protected]] Sent: Friday, July 06, 2012 8:35 PM To: Eugene Pefti; CCIE Security Subject: RE: [OSL | CCIE_Security] Commands authorization you have to check what you configured for commands authorization and for exec authorization , you will have this message % Invalid input detected at '^' marker. for not found command in this level From: [email protected] To: [email protected] Date: Sat, 7 Jul 2012 03:30:26 +0000 Subject: [OSL | CCIE_Security] Commands authorization Folks, I’m honing my skills in commands authorization and ran into something that put me on guard. I have a number of commands defined in a command authorization set and the router and TACACS user settings are configured for a particular privilege level. When I run the command that is not allowed the router says that command is not available, e.g. R3(config)#int Fa0/1 ^ % Invalid input detected at '^' marker. I remember previously I saw a different message when tried to execute a non-allowed command, namely, “Command authorization failed” Why do you think there’s a difference ? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
