Tacacs AAA and privilege level 7

Similar Messages

• ASDM and privilege level (using TACACS)

  Hi experts,
  Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
  Environment description:
  I have an ASA 5510 connected to an ACS 5.0.
  Security policy:
  I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
  A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
  ACS configuration:
  Maybe I misunderstand the TACACS privilege level parameters on ACS.
  I set a Shell Profile which gives the user the following privilege levels:
  Default Privilege Level = 7
  Maximum Privilege Level = 15
  1st config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  ! no authorization set
  Results:
       On CLI:     perfect
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 15 directly
  It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
  So OK for CLI, but NOK pour ASDM
  2nd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  ! no authorization command set
  Results:
       On CLI:     lose enable access
  I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
  So NOK for CLI and ASDM
  Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
  3rd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     lose enable access (same as config 2)
       On ASDM:     unenable to gain privilege level 15 --> acceptable
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
  So NOK for CLI and Acceptable for ASDM
  Question:     Is there no possibility to move to enable mode on ASDM ?
  4th config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! no aaa authentication for 'enable access', using local enable_15 account
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     acceptable
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
       On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
  So Acceptable for CLI and ASDM
  Questions review:
  1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
  2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
  3 -  Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
  4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
  Thanks for your help.

  Thanks for your answer jedubois.
  In fact, my security policy is like this:
  A) Authentication has to be nominative with password enforcement policy
       --> I'm using CS ACS v5.1 appliance with local user database on it
  B) Every "network" user can be granted priviledge level 15
       --> max user priviledged level is set to 15 in my authentication mechanism on ACS
  C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
  D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
       --> SNMP trap sent to supervision server
  E) The user password and enable password have to be personal.
  So, I need only 2 priviledged level:
  - monitor (any level from 1 to 14. I set 7)
  - admin (level 15)
  For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
  ASDM interface is requested by the customer.
  For ASDM, as I were not able to satisfy the security policy, I apply this:
  1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
  2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
       --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
       (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
  3- I remove "aaa authorization enable console TACACS" to use local enable password
       --> now I can't get admin access on ASDM: OK
       --> and I can get admin access on CLI entering the local enable password
  At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
  Thanks

• RSA SecurID authentication and privilege level

  Hello,
  I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
  Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

  Hello.
  Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
  I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

• Tacacs authorization and Priv levels

  Hi
  I'm strugling with TACACS+ and priv levels, and hoping someone out there can help me solve an issue.
  So, in this enviroment we need the following:
  Read-only users
  Users with access to some configuration commands.
  Okay, the TACACS configuration for the read-only users looks like this:
  group = readonly-users {
     default service = deny
     cmd = show            
        permit running-config
        permit interface
        permit privilege
        permit vlan
        deny .*
     service = exec
        priv-lvl = 15
  # Note that priv lvl 15 has been set to allow the users to run the "show running-config", all other commands than the one mentioned is denied.
  The TACACS configuration for the Users with configuration access looks like this.
  group = restricted-user {
     default service = deny
     cmd = show
        permit interface
        permit vlan
        permit privilege
        deny .*
     service = exec
        priv-lvl = 7
  And the following has been configured on the switches to allow further configurations, these commands we had to enable after I had made the previous read-only user in tacacs:
  privilege interface level 7 switchport access vlan
  privilege interface level 7 switchport mode access
  privilege interface level 7 switchport voice vlan
  privilege configure level 7 interface
  privilege exec level 7 configure terminal
  privilege exec level 7 show running-config
  privilege exec level 7 write memory
  It all worked just fine, the read-only users only had access to the commands configured in TACACS. But when I configured the users with configuration access and enter the privilege commands on the switch it stopped working.
  Somehow the privilege commands on the switch applies to all privilege levels above lvl 7. Meaning that my read-only users with priv lvl 15, all commands exept show commands denied, they can suddenly enter priviledged exec mode because I allowed the priv lvl 7 users to enter it.
  This does not make sense to me, because I've read on cisco's HP that when configuring privilege level commands on the equipment, you allow only that level to access the command, and not all above.
  I hope someone can help me with this issue, and it should be solved in the TACACS configuration, because the TACACS server is controlling over 500 switches and routers. So it aint just a question of reconfiguring the switches, that would take the rest of 2011.
  I hope you guys know the answer to this.
  Thanks in advance.
  Kind regards

  Thanks for your answer.
  Well when I started to configure this TACACS setup, I tried to create 2 profiles with privilege level 15 and just allow/deny the different commands. But the thing is that you cannot allow all commands in the TACACS configuration. For example, you cannot give a user privilege level 15 and deny all commands, but allow the user to configure VLANs on interfaces, and duplex settings which is what I want the users to be able to do.
  That's why I needed to configure the commands to be accessable from privilege level 7 on the equipment.
  If only I could create a profile with privilege level 15 and give the user access to the commands he needs, and only those from the TACACS configuration file, that would make it allot easier, but that just aint the way TACACS works, unfortunately.

• Ise and switch authentication and privilege level

  Hi Guys,
  I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
  Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
  For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
  I appreciate any help!
  Sander

  @Sander,
  You were in the right area. 
  Policy->Results->Authorization->Authorization Profiles.
  Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
  Cisco:cisco-av-pair = shell:priv-lvl=15
  or whatever privilege level you want to assign.
  On your AuthZ rule, match the conditions and apply the created profile.

• Privilege Levels on FWs, switches and Routers

  One question - I am bothered with the privilege level settings.
  Is there a default mapping between a priv lvl and teh commands you are allowed to execute or one needs to define that.
  EX: I want somebody to only have the right of executing sh run on a device and nothing more.Can this be done?
  Thx,
  Vlad

  I would start by configuring a privilege level and then use the ? to list all the commands available at that level.
  privilege level 0 - Includes the disable, enable, exit, help, and logout commands.
  privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.
  privilege level 15 - Includes all enable-level commands at the router# prompt.
  Commands available at a particular level in a particular router can be found by typing a ? at the router prompt. Commands may be moved between privilege levels by using the privilege command, as illustrated in the example. While this example shows local authentication and authorization, the commands work similarly for TACACS+ or RADIUS authentication and exec authorization (more granularity in control of the router may be achieved with implementation of TACACS+ command authorization with a server.)
  Additional details on the users and privilege levels presented in the example:
  User six is able to Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.
  User john is able to Telnet in and execute the show run command, but only sees commands that he can configure (the snmp-server community part of the router configuration, since this user is our network management administrator). He can configure snmp-server community because configure terminal is at level 8 (at or below level 9), and snmp-server community is a level 8 command. The user is not permitted to see usernames and passwords of the other users, but he is trusted with the SNMP configuration.
  User inout is able to Telnet in, and, by virtue of being configured for autocommand show running, sees the configuration displayed but is disconnected thereafter.
  User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.
  HTH

• Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

  Hello,
  I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
  the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
  The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
  So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
  Please advise.  And providing links to cisco documentation would be great too.
  Thanks,
  Brendan

  Hi Berendan,
  Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
  About Authorization
  Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
  •Management commands
  •Network access
  •VPN access
  Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
  If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
  The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
  Regards
  Karthik

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• How to Assign Privilege Levels with CiscoSecure ACS TACACS+

  how to assign privilege level to a user in secure ACS TACACS+ user exist in external database
  Regards,
  Bilal

  Hi Bilal,
  Bring users/groups in at level 15
      1.  Go to user or group setup in ACS
      2.  Drop down to "TACACS+ Settings"
      3.  Place a check in "Shell (Exec)"
      4.  Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• AAA Local with Privilege Levels

  The goal....
  1. local usernames on a router to control access
  2. Use privilege levels in the username command to reflect what a user is allowed to do
  3. Define a set of commands available to users with privilege level 1
  My trouble here is that I cannot seem to find this exact combination of commands for what I want to do on CCO or Google. I have tried several combinations and here is what I have so far, but its not working.
  aaa new-model
  aaa authentication login default local
  aaa authorization commands 1 default local
  username engineer priv 15 pass XXXX
  username tech priv 1 pass XXXX
  privilege exec level 1 traceroute
  
privilege exec level 1 ping

  Hi,
  This link answers your question.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  aaa authori command is not reqd.
  Regards,
  ~JG
  Do rate helpful posts

• AAA and TACACS on everything BUT NOT console

  Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?

  I do not think you can separate method list for
  the enable piece. I've asked Cisco about this
  in the past and they told me that it is not
  possible. You can have a different method list
  for the console for the "exec" mode but not
  the enable or privilege mode. It is either
  "tacacs" or "enable" or some other
  combinations but not a separate method list for "enable" by itself. Maybe cisco added
  this new feature in 12.4. I've my my testing
  on both 12.2T and 12.3T and, IMHO, it is not
  possible to separate the enable piece. Here
  is my config:
  username cisco password cisco
  enable secret cisco
  aaa authentication login notac local
  aaa authentication login VTY group tacacs+ local
  aaa authentication login web local enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec TAC start-stop group tacacs+
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 TAC start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 TAC start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 10 TAC start-stop group tacacs+
  aaa accounting commands 15 TAC start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection TAC start-stop group tacacs+
  aaa session-id common
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line vty 0 15
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY

• AAA & Privilege Levels on Console Session

  While configuring users with different privilege levels and using AAA, we've found that the privilege level when logging in via console port will always be level 1, whereas with telnet we're able to log in directly into levels 0 and 2 thru 15. Has anyone experienced this or have an explanation as to why this happens?
  TIA.

  Console port authorization was not added as a feature until Bug ID CSCdi82030 was implemented. Console port authorization is off by default to lessen the likelihood of accidentally being locked out of the router. If a user has physical access to the router via the console, console port authorization is not extremely effective. However, for images in which Bug ID CSCdi82030 has been implemented, console port authorization can be turned on under line con 0 with the hidden command aaa authorization console in config mode.
  If you turn on debug aaa authorization and log into console you will see there is no AAA kicked in.
  R/Yusuf

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Levels, And Privileges In Detail

  I was wondering about two things in regaurds to the privileges, the first one being Conference Calls can someone explain in detail waht those are please? And the other question I have is in regaurd to Lounge Acess and MVP Meetups what are these? Thanks in avance!
  Reputation, status levels, and privileges
  When another community member marks your answer as helpful or solved, you receive reputation points. You can find any user's status level and points next to each post.
  As you collect more reputation points, your status level increases and you receive additional privileges.
  Status Level
  Points
  Privilege
  Level 1
  0-149
  Level 2
  150-499
  Report Post
  Level 3
  500-999
  Custom Avatar
  Level 4
  1,000-3,999
  Conference Calls
  Level 5
  4,000-7,999
  User Tips
  Level 6
  8,000-19,999
  Lounge Access, MVP Meetups
  Level 7
  20,000-34,999
  Level 8
  35,000-49,999
  Level 9
  50,000-79,999
  Level 10
  80,000+
  Best,
  Coander15

  Kappy provided my favorite answer to this question: apple points and priveleges

• AAA and TACACS servers

  Hello All,
  I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

  You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
  ACS v4.2.0.124 90-Days Evaluation Software
  eval-ACS-4.2.0.124-SW.zip
  http://tools.cisco.com/squish/9B37e
  Path:
  Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
  > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
  ~BR
  Jatin Katyal
  **Do rate helpful posts**