Re: aaa command authorization using tacacs.

From: Kal Han (calikali2006@gmail.com)
Date: Thu Nov 09 2006 - 00:23:54 ART

• Next message: Ian Stong: "RE: IPv6 for 4000 Router"
• Previous message: Gavin Lawson: "IPv6 for 4000 Router"
• Maybe in reply to: Kal Han: "aaa command authorization using tacacs."
• Next in thread: Lab Rat #109385382: "RE: aaa command authorization using tacacs."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
(im providing some debug outputs and my config, please
correct whats wrong )
I am using 12.2(15)T
and I dont see the expected behavior
( the one you pointed out )
with the following config, when level 5 user telnets
to the router and executes "configure terminal"
the router is complaining that its an unknown command

R2#telnet 172.16.2.1
Trying 172.16.2.1 ... Open

Username: user5
Password:

R1#conf t
      ^
% Invalid input detected at '^' marker.

R1#

but when I use ( only when I use the following command )
"privile exec level 5 configure terminal", ONLY then the router
is sending the command check to TACACS.

*My Config*
aaa new-model
aaa authentication login vty group tacacs+
aaa authorization exec vty group tacacs+
aaa authorization commands 1 vty group tacacs+
aaa authorization commands 5 vty group tacacs+
aaa authorization commands 15 vty group tacacs+
aaa session-id common

line vty 0 4
 password cisco
 authorization commands 1 vty
 authorization commands 5 vty
 authorization commands 15 vty
 authorization exec vty
 login authentication vty

*Debug Outputs*

R1(config)#privile exec level 5 configure terminal
R1(config)#
R1(config)#
.Mar 14 23:52:50.061: AAA: parse name=tty67 idb type=-1 tty=-1
.Mar 14 23:52:50.061: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=67 channel=0
.Mar 14 23:52:50.061: AAA/MEMORY: create_user (0x83160050) user='user5'
ruser='R1' ds0=0 port='tty67' rem_addr='195.1.112.2' authen_type=ASCII
service=NONE priv=5 initial_task_id='0', vrf= (id=0)
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): Port='tty67'
list='vty' service=CMD
.Mar 14 23:52:50.061: AAA/AUTHOR/CMD: tty67(305574360) user='user5'
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV service=shell
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV cmd=configure
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV
cmd-arg=terminal
.Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): send AV cmd-arg=<cr>
.Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): found list "vty"
.Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): Method=tacacs+
(tacacs+)
.Mar 14
R1(config)# 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): user=user5
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV service=shell
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd=configure
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd-arg=terminal
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd-arg=<cr>
.Mar 14 23:52:50.273: AAA/AUTHOR (305574360): Post authorization status =
PASS_ADD
.Mar 14 23:52:50.273: AAA/MEMORY: free_user (0x83160050) user='user5'
ruser='R1' port='tty67' rem_addr='195.1.112.2' authen_type=ASCII
service=NONE priv=5 vrf= (id=0)
R1(config)#

On 11/8/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
>
> All the command levels you set up for TACACS+ authorization will never
> reference the local router, but will be sent to the ACS.
>
> Doesn't matter what you do on the router unless you are referencing
> certain
> commands there (e.g., "aaa authorization commands 5 LOCAUTH local")
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kal
> Han
> Sent: Wednesday, November 08, 2006 6:11 PM
> To: Cisco certification; ccielab
> Subject: aaa command authorization using tacacs.
>
> Hello All,
>
> Say I created an user with privilege level 5 on ACS.
> so when the user logs in, he is assigned a privilege level of 5.
> Now I enabled aaa command authorization on the router for privilege levels
> 1, 5, 15. ( I did not configure any "privilege exec" or "privilege
> configure
> commands on the router ) I want to leave everything to tacacs.
>
> I configured certain commands to be authorized for this user5 *on tacacs*.
> example: on tacacs, I permitted "configure terminal" command.
> ( which is at privilege level 15 on the router )
>
> Will the user be able to execute that command ??
>
> Will the router even send any request to tacacs when the user executes
> "configure terminal" ? given that the user is at privilege level 5 and the
> command is by default at level 15. ( or the router simply rejects the cli
> ?
> )
>
> How do we handle such a situation ?
> Is creating "privilege exec level 5 configure terminal" only way ( if the
> above doesnt work ) ( can tacacs alone handle "complete" command
> authorization without any additional config on router, other than the aaa
> authorization command ..... )
>
> Please let me know.
> Thanks
> Kal

• Next message: Ian Stong: "RE: IPv6 for 4000 Router"
• Previous message: Gavin Lawson: "IPv6 for 4000 Router"
• Maybe in reply to: Kal Han: "aaa command authorization using tacacs."
• Next in thread: Lab Rat #109385382: "RE: aaa command authorization using tacacs."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART