RE: aaa command authorization using tacacs.

From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Thu Nov 09 2006 - 00:48:24 ART

• Next message: Adhu Ajit: "BGP Policy accounting not working"
• Previous message: Dasarathan SC: "IOS for 2620 with 64/16MB Flash, supporting OSPFv3"
• Maybe in reply to: Kal Han: "aaa command authorization using tacacs."
• Next in thread: Kal Han: "Re: aaa command authorization using tacacs."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

<< but when I use ( only when I use the following command )
"privile exec level 5 configure terminal", ONLY then the router
is sending the command check to TACACS. >>

Where are you entering this command? On the router or the ACS?

There is nothing your config is doing which should be referencing the local
database privileges. Your ACS config may be the issue.

From: Kal Han [mailto:calikali2006@gmail.com]
Sent: Wednesday, November 08, 2006 7:24 PM
To: techlist01@gmail.com
Cc: Cisco certification; ccielab
Subject: Re: aaa command authorization using tacacs.

Hi

(im providing some debug outputs and my config, please

correct whats wrong )

I am using 12.2(15)T

and I dont see the expected behavior

( the one you pointed out )

with the following config, when level 5 user telnets

to the router and executes "configure terminal"

the router is complaining that its an unknown command

R2#telnet 172.16.2.1
Trying 172.16.2.1 ... Open

Username: user5
Password:

R1#conf t
      ^
% Invalid input detected at '^' marker.

R1#

but when I use ( only when I use the following command )
"privile exec level 5 configure terminal", ONLY then the router
is sending the command check to TACACS.

My Config
aaa new-model
aaa authentication login vty group tacacs+
aaa authorization exec vty group tacacs+
aaa authorization commands 1 vty group tacacs+
aaa authorization commands 5 vty group tacacs+
aaa authorization commands 15 vty group tacacs+
aaa session-id common

line vty 0 4
 password cisco
 authorization commands 1 vty
 authorization commands 5 vty
 authorization commands 15 vty
 authorization exec vty
 login authentication vty

Debug Outputs

R1(config)#privile exec level 5 configure terminal
R1(config)#
R1(config)#
.Mar 14 23:52:50.061: AAA: parse name=tty67 idb type=-1 tty=-1
.Mar 14 23:52:50.061: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=67 channel=0
.Mar 14 23:52:50.061: AAA/MEMORY: create_user (0x83160050) user='user5'
ruser='R1' ds0=0 port='tty67' rem_addr='195.1.112.2' authen_type=ASCII
service=NONE priv=5 initial_task_id='0', vrf= (id=0)
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): Port='tty67'
list='vty' service=CMD
.Mar 14 23:52:50.061: AAA/AUTHOR/CMD: tty67(305574360) user='user5'
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV service=shell

.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV cmd=configure
.Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV
cmd-arg=terminal
.Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): send AV cmd-arg=<cr>
.Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): found list "vty"
.Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): Method=tacacs+
(tacacs+)
.Mar 14
R1(config)# 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): user=user5
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV service=shell
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd=configure
.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd-arg=terminal

.Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd-arg=<cr>
.Mar 14 23:52:50.273: AAA/AUTHOR (305574360): Post authorization status =
PASS_ADD
.Mar 14 23:52:50.273: AAA/MEMORY: free_user (0x83160050) user='user5'
ruser='R1' port='tty67' rem_addr=' 195.1.112.2' authen_type=ASCII
service=NONE priv=5 vrf= (id=0)
R1(config)#

On 11/8/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:

All the command levels you set up for TACACS+ authorization will never
reference the local router, but will be sent to the ACS.

Doesn't matter what you do on the router unless you are referencing certain
commands there (e.g., "aaa authorization commands 5 LOCAUTH local")

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kal
Han
Sent: Wednesday, November 08, 2006 6:11 PM
To: Cisco certification; ccielab
Subject: aaa command authorization using tacacs.

Hello All,

Say I created an user with privilege level 5 on ACS.
so when the user logs in, he is assigned a privilege level of 5.
Now I enabled aaa command authorization on the router for privilege levels
1, 5, 15. ( I did not configure any "privilege exec" or "privilege configure
commands on the router ) I want to leave everything to tacacs.

I configured certain commands to be authorized for this user5 *on tacacs*.
example: on tacacs, I permitted "configure terminal" command.
( which is at privilege level 15 on the router )

Will the user be able to execute that command ??

Will the router even send any request to tacacs when the user executes
"configure terminal" ? given that the user is at privilege level 5 and the
command is by default at level 15. ( or the router simply rejects the cli ?
)

How do we handle such a situation ?
Is creating "privilege exec level 5 configure terminal" only way ( if the
above doesnt work ) ( can tacacs alone handle "complete" command
authorization without any additional config on router, other than the aaa
authorization command ..... )

Please let me know.
Thanks
Kal

• Next message: Adhu Ajit: "BGP Policy accounting not working"
• Previous message: Dasarathan SC: "IOS for 2620 with 64/16MB Flash, supporting OSPFv3"
• Maybe in reply to: Kal Han: "aaa command authorization using tacacs."
• Next in thread: Kal Han: "Re: aaa command authorization using tacacs."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART