I'm configuring a Cisco Access Server for the routers in my network...But I'm confused on what AAA configuration I should use in the router when I'm configuring the helpdesk for minimal router access..For example I just want the helpdesk just to use sh run and nothing else...But I when I set the max privileges in the Cisco Secure application server to anything below 15, it tells me that the Tacacs+ enable privlieges are too low....Am I'm missing something....Can some give me a sample AAA configuration example for the routers to solve this problem.....I believe I need aaa authorization...Any help would be apprieciated..
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco Secure AAA configuration issue
- Thread starter menace212
- Start date
You authenticate first.. then you authorize commands. You need to set the privilege level on the commands that need to be used. So if you set the privilege of show access-list to 10, the user must have privilege level of 10 or higher to use the command.
If it is just a small group of users on a just a few devices, it might be easier to set up usernames and use LOCAL authentication and authorization rather than the Secure Server.
privilage show level 10 command access-list
username thestupiduser password ihatelife privilege 10
aaa authorization command LOCAL
thesupiduser is at level 10 which means he can use show access-list and use the LOCAL database on the PIX or whatever to authorize the use of the command.
Mike S
Home of the book "Network Security Using Linux"
If it is just a small group of users on a just a few devices, it might be easier to set up usernames and use LOCAL authentication and authorization rather than the Secure Server.
privilage show level 10 command access-list
username thestupiduser password ihatelife privilege 10
aaa authorization command LOCAL
thesupiduser is at level 10 which means he can use show access-list and use the LOCAL database on the PIX or whatever to authorize the use of the command.
Mike S
Home of the book "Network Security Using Linux"
Also, this page is for a PIX but a router will be very close. This doc gives details on using CAS
Home of the book "Network Security Using Linux"
Home of the book "Network Security Using Linux"
- Thread starter
- #4
yea I have it configured in the ACS server under the group call helpdesk, where they have an enable max privelege's 10 instead of the full rights of 15...Plus I have configured in the group where command authorization allows only the show commands..Each user assigned to this group should only use the show commands..But when test and logon in as a helpdesk user it won't let me go into enable mode, it tells me error in authenication...
So when I look in the failed attempts log on the server the reason it gives me is
TACACS+ privileges is to low...And that's what I don't understand especially when I gave the group enable privileges of 10...
Now I've used the privilege's command in the router, but it gives the same result...The default privilege level in the router is 15..Can I add or change the level in the router..What command would do this?
So when I look in the failed attempts log on the server the reason it gives me is
TACACS+ privileges is to low...And that's what I don't understand especially when I gave the group enable privileges of 10...
Now I've used the privilege's command in the router, but it gives the same result...The default privilege level in the router is 15..Can I add or change the level in the router..What command would do this?
What is the AAA config for Authorization on your router? I suspect this is the problem, it should read something like:
aaa authentication login default group ACS local
aaa authentication enable default group ACS enable
aaa authorization exec default group ACS if-authenticated
Plus you will need to add the line to make the show command a privilege level 10 command:
privilege exec level 10 show
On ACS you also need to make the user a Level-10 user by default, I can't remember where this is but it ISN'T the setting that reads something like 'maximum level for user/group'. It reads something like 'user privilege level' or 'default user privilege level'.
Good luck
Andy
aaa authentication login default group ACS local
aaa authentication enable default group ACS enable
aaa authorization exec default group ACS if-authenticated
Plus you will need to add the line to make the show command a privilege level 10 command:
privilege exec level 10 show
On ACS you also need to make the user a Level-10 user by default, I can't remember where this is but it ISN'T the setting that reads something like 'maximum level for user/group'. It reads something like 'user privilege level' or 'default user privilege level'.
Good luck
Andy
To add to my last post, instead of making the user a level 10 user by default you can select the enable level by logging into the router and typing:
enable <level 0-16>
So your helpdesk users log in and type 'enable 10' and enter their password. If you type enable without a level it defaults to level 15.
Andy
enable <level 0-16>
So your helpdesk users log in and type 'enable 10' and enter their password. If you type enable without a level it defaults to level 15.
Andy
- Thread starter
- #7
- Status
Similar threads
- Locked
- Question