| [Config] Cisco ACS Shell command authorization sets Hi everybody,
We just bought a Cisco ACS server but where having some problems in configuring Shell command authorization sets.
We want to allow some users the possibility of changing VLAN and speed/duplex settings on ports but deny everything else. We have configured the set now that they can do a show run and that it blocks everything else.
The problem is that when I allow a user to perform a configure terminal, he gets access to all the commands within the 'configure terminal' mode. I tried to block other commands specificaly e.g. banner but this doesn't work.
Does anybody know how to restrict commands in the configure terminal mode?
greetings,
Jan Peter. |
|
 LilYodaFeline with squirel personality disorderPremium
join:2004-09-02
Mountains | Re: [Config] Cisco ACS Shell command authorizationIn the router config you need
aaa authorization config-commands
If that doesn't fix it, you could turn on "debug aaa authorization", and see if you find interesting info... |
|
|
|
| Master Yoda... the force is with you!
thanks for the quick reply, i've got it working with your solution!
gr... |
|
LilYodaFeline with squirel personality disorderPremium
join:2004-09-02
Mountains | reply to Jan Peter
Just for fun, if you want to secure the console port as well, you need to add
aaa authorization console |
|
| Hi,
I would appreciate it if you could help me. I am a CSACS newbie and currently using a trial version. I want to limit access to our routers and switches. The authentication bit seems to work but even though I have set command authorization, strictly following some documentation I found, I am not able to get this working.
There are 3 levels - ops, analyst and admin
I want ops to be able to view config amongst other things but not have config t access.
Analyst group can have some conf t access but not to everything and Admin can obviously have all access.
I set the CSACS up with command authorization and applied to each group accordingly.
The test router has the aaa authorization command but I dont know where I'm going wrong.
When I log in as the ops account, I dont want to have to use the enable command but I would like to be able to use the show run command as well as the others I set up in the Shell command authorization sets in cscas.
I know this is all probably as clear as mud but I hope you understand and can help.
Please let me know if you require any further information.
Cheers. |
|
LilYodaFeline with squirel personality disorderPremium
join:2004-09-02
Mountains | I have never used CSACS, so I can't really tell you how it works... Does it use a text file as its config? What does the config look like? |
|
| Thanks for the prompt response. I cant find any way of extracting the csacs config, however this is a bit of the config sample I copied to configure command authorisation on the csacs
Commands and Arguments
Command
show
Arguments
permit curpriv
permit version
permit aaa
permit config
I suppose you really would have to use the product to be able to help me. I suppose we will buy the product and I'll get some Cisco support for it.
Any help in the meantime though will be much appreciated.
Thanks.
|
|
LilYodaFeline with squirel personality disorderPremium
join:2004-09-02
Mountains | reply to Jan Peter
Mmmmmh, that looks a little like how my tac_plus config is done... Except that all is in a text file for me.
Here's what my config looks like
meeeeee@my-server:~$ cat /etc/tac_plus.conf
key = "whateveryoukeyis"
group = admin {
default service = permit
service = exec {
priv-lvl=15
}
service = shell {
priv-lvl=5
}
}
#you may need several lines like the ones below for old
#catalysts 1900 that prompt you for an enable password and
#send that to the tacacs server for checking
host = X.X.X.X {
enable = des "XXXXXXX"
}
host = X.X.X.X {
enable = des "XXXXXXX"
}
acl = LabRegular {
#source IPs of regular user machines
permit = X.X.X.X
permit = X.X.X.X
permit = X.X.X.X
permit = X.X.X.X
permit = X.X.X.X
}
acl = LabControl {
#source IPs of Control machines (like backbone routers, etc...)
permit = X.X.X.X
permit = X.X.X.X
permit = X.X.X.X
permit = X.X.X.X
permit = X.X.X.X
}
group = UsersCmds {
default service = permit
cmd = no {
deny aaa*
deny tacacs*
deny "ip tacacs*"
#deny changing routes to your tacacs servers
deny "ip route X.X*"
deny "ip route X.X*"
deny "login authentication*"
#deny changing the admin interface on your routers
deny "interface XXX*"
permit .*
}
cmd = default {
deny aaa*
deny tacacs*
deny "ip tacacs*"
#deny changing routes to your tacacs servers
deny "ip route X.X*"
deny "ip route X.X*"
deny "login authentication*"
#deny changing the admin interface on your routers
deny "interface XXX*"
permit .*
}
cmd = access-class {
permit .*
}
cmd = interface {
#deny changing the admin interface on your routers
deny "XXXXXX*"
permit .*
}
cmd = aaa { deny .* }
cmd = tacacs-server { deny .* }
cmd = ip {
deny tacacs*
#deny changing routes to your tacacs servers
deny "route X.X.*"
deny "route X.X.*"
permit .*
}
cmd = login {
deny authentication*
permit .*
}
cmd = config-register { deny .* }
cmd = configure { permit "terminal" }
cmd = copy {
permit "running-config startup-config"
permit "startup-config running-config"
permit "running-config tftp*"
permit "running-config flash*"
permit "startup-config tftp*"
permit "startup-config flash*"
deny .*config*
permit .*
}
cmd = write {
deny erase
permit .*
}
cmd = erase { deny .* }
cmd = enable {
deny secret*
permit .*
}
}
group = Control_Users {
member = UsersCmds
acl = LabControl
service = exec {
priv-lvl=15
}
service = shell {
priv-lvl=15
}
}
group = Regular_Users {
member = UsersCmds
acl = LabRegular
service = exec {
priv-lvl=15
}
}
group = Visitors {
acl = LabRegular
service = exec {
priv-lvl=1
}
}
user = Control {
login = des "XXXXXXXXXX"
member = Control_Users
}
user = user {
login = des "XXXXXXXXXX"
member = admin
}
user = admin {
login = des "XXXXXXXXXX"
member = admin
}
user = cisco {
login = cleartext cisco
member = Visitors
Maybe you could follow the same logic above and use this in your interface...
Hope this helps |
|
hackysakPremium
join:2002-03-23
Stirling, NJ | Is it possible to get cmd authorization through radius??
TIA |
|
LilYodaFeline with squirel personality disorderPremium
join:2004-09-02
Mountains | no idea, sorry :-( |
|
| Thanks for the prompt response LilYoda, I use csacs for windows and I have tried to extract and use the same principles as in your config but still it doesn't do what I want which is that when a junior admin logs in, they should be able to run show commands including config but not much else.
Thanks for all the help thus far, getting a bit fed up with it now. |
|
| reply to Jan Peter
Re: [Config] Cisco ACS Shell command authorization sets Hi,
I'm doing my thesis on Cisco NAC and i have problem to set up Cisco ACS 3.3. I do the setup but when i'm lauching the administration console on my server, it ask me a username and a password. The problem is that during the installation, i never enter any username or password. I did also create the specific user account since my server is domain controller as well, but the result is the same. No way to log in! Does someone can help me to find what i did wrong? Thanks a lot for your help! |
|
| reply to Jan Peter
lilYoda,
is it possible to restrict which routers a particular user can telnet into using tacacs+?
i've tried using the ACL feature in your config but i get "Error Unrecognised token acl on line xx"
ex.
user1 can connect to r1,r2,r3
user2 can connect to r1 & r3 only. |
|
LilYodaFeline with squirel personality disorderPremium
join:2004-09-02
Mountains | reply to Jan Peter
Re: [Config] Cisco ACS Shell command authorization Yes it's possible. I did it in my lab so that I'm the only one to connect to the control devices like the 5 frame switched & the gateway routers, and the users can telnet to the other 40 routers. Thea easiest way for me was to setup 2 NAT pool on the gateway routers, and NAT to a different pool depending if the Tacacs packets were coming from a control device IP or a regular device IP. Each pool was 1 IP address, so basically, if it was coming from IP A, it was a regular device, if it was coming from IP B, it was a control device
Then on the tacacs config, I used 2 ACL, one with the regular IP the other with the control IP.
But you need a newer version of tac_plus... The one I use is Version F4.0.4.7
YOu can get exemple configs and a download link for linux here: »www.shrubbery.net/tac_plus/ |
|
