Re: aaa command authorization using tacacs.

From: Kal Han (calikali2006@gmail.com)
Date: Thu Nov 09 2006 - 01:12:24 ART

• Next message: Scott Morris: "RE: Cisco password"
• Previous message: David H. Brown: "Security Lab Date - Trade RTP 1/2/07"
• Maybe in reply to: Kal Han: "aaa command authorization using tacacs."
• Next in thread: Lab Rat #109385382: "RE: aaa command authorization using tacacs."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am entering the privilege command on the router.
On the ACS I assigned the user5 with a shell command authorization set.
in that set I configured permit for "configure terminal"
and thats the result im seing.

given that, my tacacs config permits user5 with priv5 to execute
configure terminal,
Ideally I should be allowed to execute configure terminal... right ?
not looking in the local database.

I mean the user should be able to execute any command permitted
by the tacacs config ( for that user ) , irrespective of what the
default privilege level for that command is, on the router.
Is that right ?

I am not able to see that behavior !
Did you try and saw a different behavior ?

Thanks
Kal

On 11/8/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
>
> << but when I use ( only when I use the following command )
> "*privile exec level 5 configure terminal*", ONLY then the router
> is sending the command check to TACACS. >>
>
>
>
> Where are you entering this command? On the router or the ACS?
>
>
>
> There is nothing your config is doing which should be referencing the
> local database privileges. Your ACS config may be the issue
>
>
>
> *From:* Kal Han [mailto:calikali2006@gmail.com]
> *Sent:* Wednesday, November 08, 2006 7:24 PM
> *To:* techlist01@gmail.com
> *Cc:* Cisco certification; ccielab
> *Subject:* Re: aaa command authorization using tacacs.
>
>
>
> Hi
>
> (im providing some debug outputs and my config, please
>
> correct whats wrong )
>
> I am using 12.2(15)T
>
> and I dont see the expected behavior
>
> ( the one you pointed out )
>
> with the following config, when level 5 user telnets
>
> to the router and executes "configure terminal"
>
> the router is complaining that its an unknown command
>
> R2#telnet 172.16.2.1
> Trying 172.16.2.1 ... Open
>
> Username: user5
> Password:
>
> R1#conf t
> ^
> % Invalid input detected at '^' marker.
>
> R1#
>
> but when I use ( only when I use the following command )
> "privile exec level 5 configure terminal", ONLY then the router
> is sending the command check to TACACS.
>
> *My Config*
> aaa new-model
> aaa authentication login vty group tacacs+
> aaa authorization exec vty group tacacs+
> aaa authorization commands 1 vty group tacacs+
> aaa authorization commands 5 vty group tacacs+
> aaa authorization commands 15 vty group tacacs+
> aaa session-id common
>
> line vty 0 4
> password cisco
> authorization commands 1 vty
> authorization commands 5 vty
> authorization commands 15 vty
> authorization exec vty
> login authentication vty
>
> *Debug Outputs*
>
> R1(config)#privile exec level 5 configure terminal
> R1(config)#
> R1(config)#
> .Mar 14 23:52:50.061: AAA: parse name=tty67 idb type=-1 tty=-1
> .Mar 14 23:52:50.061: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0
> adapter=0 port=67 channel=0
> .Mar 14 23:52:50.061: AAA/MEMORY: create_user (0x83160050) user='user5'
> ruser='R1' ds0=0 port='tty67' rem_addr='195.1.112.2' authen_type=ASCII
> service=NONE priv=5 initial_task_id='0', vrf= (id=0)
> .Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): Port='tty67'
> list='vty' service=CMD
> .Mar 14 23:52:50.061: AAA/AUTHOR/CMD: tty67(305574360) user='user5'
> .Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV
> service=shell
> .Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV
> cmd=configure
> .Mar 14 23:52:50.061: tty67 AAA/AUTHOR/CMD(305574360): send AV
> cmd-arg=terminal
> .Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): send AV
> cmd-arg=<cr>
> .Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): found list "vty"
> .Mar 14 23:52:50.065: tty67 AAA/AUTHOR/CMD(305574360): Method=tacacs+
> (tacacs+)
> .Mar 14
> R1(config)# 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): user=user5
> .Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV service=shell
> .Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd=configure
> .Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV
> cmd-arg=terminal
> .Mar 14 23:52:50.065: AAA/AUTHOR/TAC+: (305574360): send AV cmd-arg=<cr>
> .Mar 14 23:52:50.273: AAA/AUTHOR (305574360): Post authorization status =
> PASS_ADD
> .Mar 14 23:52:50.273: AAA/MEMORY: free_user (0x83160050) user='user5'
> ruser='R1' port='tty67' rem_addr=' 195.1.112.2' authen_type=ASCII
> service=NONE priv=5 vrf= (id=0)
> R1(config)#
>
>
>
>
>
> On 11/8/06, *Lab Rat #109385382* <techlist01@gmail.com> wrote:
>
> All the command levels you set up for TACACS+ authorization will never
> reference the local router, but will be sent to the ACS.
>
> Doesn't matter what you do on the router unless you are referencing
> certain
> commands there (e.g., "aaa authorization commands 5 LOCAUTH local")
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kal
> Han
> Sent: Wednesday, November 08, 2006 6:11 PM
> To: Cisco certification; ccielab
> Subject: aaa command authorization using tacacs.
>
> Hello All,
>
> Say I created an user with privilege level 5 on ACS.
> so when the user logs in, he is assigned a privilege level of 5.
> Now I enabled aaa command authorization on the router for privilege levels
>
> 1, 5, 15. ( I did not configure any "privilege exec" or "privilege
> configure
> commands on the router ) I want to leave everything to tacacs.
>
> I configured certain commands to be authorized for this user5 *on tacacs*.
>
> example: on tacacs, I permitted "configure terminal" command.
> ( which is at privilege level 15 on the router )
>
> Will the user be able to execute that command ??
>
> Will the router even send any request to tacacs when the user executes
> "configure terminal" ? given that the user is at privilege level 5 and the
> command is by default at level 15. ( or the router simply rejects the cli
> ?
> )
>
> How do we handle such a situation ?
> Is creating "privilege exec level 5 configure terminal" only way ( if the
> above doesnt work ) ( can tacacs alone handle "complete" command
> authorization without any additional config on router, other than the aaa
> authorization command ..... )
>
> Please let me know.
> Thanks
> Kal

• Next message: Scott Morris: "RE: Cisco password"
• Previous message: David H. Brown: "Security Lab Date - Trade RTP 1/2/07"
• Maybe in reply to: Kal Han: "aaa command authorization using tacacs."
• Next in thread: Lab Rat #109385382: "RE: aaa command authorization using tacacs."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART