Aaa authorization ACA4.1

Similar Messages

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• AAA Authorization named authorization list

  Ladies and Gents,
  Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
  Cisco.com extract below
  When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
  Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
  My question is how do you define the Named Method List i.e. the none-default method list?
  I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
  Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
  Thanks in advance
  David

  Hi David,
  An example of a named AAA list might look something like this:
  aaa authorization exec TacExec group AAASrv local
  In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
  Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
  Below is a cut and paste from the AAA section on one of my devices:
  aaa new-model
  ip tacacs source-interface
  tacacs-server host 10.x.x.x key 7
  tacacs-server host 10.x.x.y key 7
  aaa group server tacacs+ TacSrvGrp
  server 10.x.x.x
  server 10.x.x.y
  aaa authentication login default local
  aaa authentication login TacLogin group TacSrvGrp local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default local
  aaa authorization exec TacAuth group TacSrvGrp local
  aaa authorization commands 0 default local
  aaa authorization commands 0 TacCommands0 group TacSrvGrp local
  aaa authorization commands 1 default local
  aaa authorization commands 1 TacCommands1 group TacSrvGrp local
  aaa authorization commands 15 default local
  aaa authorization commands 15 TacCommands15 group TacSrvGrp local
  aaa accounting exec default start-stop group TacSrvGrp
  aaa accounting commands 15 default start-stop group TacSrvGrp
  aaa session-id common
  Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
  line con 0
  exec-timeout 5 0
  line aux 0
  exec-timeout 5 0
  line vty 0 4
  exec-timeout 15 0
  authorization commands 0 TacCommands0
  authorization commands 1 TacCommands1
  authorization commands 15 TacCommands15
  authorization exec TacAuth
  login authentication TacLogin
  transport input ssh
  For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
  One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
  Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
  Hope this helps!

• AAA Authorization Using Local Database

  Hi Guys,
  I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
  FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

  For allowing limited read only access , use this example,
  We need these commands on the switch
  Switch(config)#do sh run | in priv
  username admin privilege 15 password 0 cisco123!
  username test privilege 0 password 0 cisco
  privilege exec level 0 show ip interface brief
  privilege exec level 0 show ip interface
  privilege exec level 0 show interface
  privilege exec level 0 show switch
  No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
  User Access Verification
  Username: test
  Password:
  Switch>show ?
  diagnostic Show command for diagnostic
  flash1: display information about flash1: file system
  flash: display information about flash: file system
  interfaces Interface status and configuration
  ip IP information
  switch show information about the stack ring
  Switch>show switch
  Switch/Stack Mac Address : 0015.f9c1.ca80
  H/W Current
  Switch# Role Mac Address Priority Version State
  *1 Master 0015.f9c1.ca80 1 0 Ready
  Switch>show run
  ^
  % Invalid input detected at '^' marker.
  Switch>show aaa server
  ^
  % Invalid input detected at '^' marker.
  Switch>show inter
  Switch>show interfaces
  Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
  Internet address is 192.168.26.3/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Switch>
  Please check this link,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Command execution get very slow when AAA Authorization enable on ASR 1006

  Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
  These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
  Did any one face such issue , and how it is fix ...
  See the Show version for ASR
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Thu 24-Mar-11 23:32 by mcpre
  Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  ROM: IOS-XE ROMMON
  NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
  Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
  System returned to ROM by reload
  System restarted at 17:47:32 IST Thu Oct 4 2012
  System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
  Last reload reason: EHSA standby down
  AAA Commands on ASR 1006
  aaa new-model
  aaa group server tacacs+ tacgroup
  server 10.48.128.10
  server 10.72.160.10
  ip vrf forwarding Mgmt-intf
  ip tacacs source-interface GigabitEthernet0
  aaa authentication login default group tacgroup local
  aaa authentication enable default group tacgroup enable
  aaa accounting exec default start-stop group tacgroup
  aaa accounting commands 1 default start-stop group tacgroup
  aaa accounting commands 15 default start-stop group tacgroup
  aaa accounting connection default start-stop group tacgroup
  aaa accounting system default start-stop group tacgroup
  aaa authorization commands 0 default group tacgroup none
  aaa authorization commands 1 default group tacgroup none
  aaa authorization commands 15 default group tacgroup none
  aaa session-id common
  tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
  tacacs-server key 7 053B071C325B411B1D25464058

  I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
  You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
  server 10.48.128.10
  server 10.72.160.10
  to
  server 10.72.160.10
  server 10.48.128.10
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Aaa authorization is confusing

  hi...this command make me mess for many times :(. is it true aaa authorization can return acl and time for user? how aaa authorization know what user will be associated in case aaa authentication is aaa authentication login default local? for make it more complete...is aaa authorization only work with tacacs? tx a lot ;)

  Hi,
  If the tacacs server fails to respond, then local network authorization will be performed.
  Assuming this command: aaa authorization network test tacacs local.
  Keep in mind that only a limited set of functions can be controlled via the local database.
  HTH
  Regards,
  Bjornarsb

• Aaa authorization console

  Hi,
  i have the following config :
  aaa new-model
  aaa authentication login NO_LOGIN none
  aaa authentication login ADMINS group radius local
  aaa authentication login CONSOLE group radius local
  aaa authorization exec NO_AUTHOR none
  aaa authorization exec ADMINS group radius local
  aaa authorization exec CONSOLE group radius local
  enable secret cisco
  username cisco privilage 15 secret cisco
  line con 0
  password 7 05080F1C2243
  authorization exec CONSOLE
  login authentication CONSOLE
  line vty 0 4
  password 7 045802150C2E0C
  authorization exec ADMINS
  logging synchronous
  login authentication ADMINS
  line vty 5 15
  password 7 060506324F41
  authorization exec ADMINS
  logging synchronous
  login authentication ADMINS
  When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.
  when issuing the command # aaa authorization console   (using telnet from other switch)
  the problem is solved.
  Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?

  aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.
  command refrence
  http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046
  Jatin Katyal
  - Do rate helpful posts -

• FWSM - AAA Authorization

  How to map this command from IOS to FWSM ?
  I want user when login and authenticated, it right way go direct to exec mode. No problem at IOS but , not sure how to configure it on FWSM or PIX Firewall.
  aaa authentication enable default enable none
  aaa authorization exec default group tacacs+ if-authenticated

  The configuration on the FWSM for AAA will be same as would be on a normal PIX. The documents have more details about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/mngacl.htm
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmdqref.htm
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm

• AAA authorization and accounting

  Hello everyone.
  I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
  1) aaa authorization exec and aaa authorization command option.
  2) aaa accounting exec and aaa accounting command option.
  Many thanks.
  Sent from Cisco Technical Support Android App

  Hello,
  1) aaa authorization exec and aaa authorization command option.
  The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.
  The second one authorizes the different commands a user can type and send to the device
  2) aaa accounting exec and aaa accounting command option.
  The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)
  Second one sends an accounting message per each command send to the box
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• Aaa authorization with Tacacs+

  Hello All,
  I am trying to figure out how aaa authorization with tacacs+ works.
  I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
  I am totally freaked out...

  The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
  Cisco has a pretty thorough configuration example posted here.

• AAA Authorization on PIX

  I have set up authentication and Authorization on the PIX. Authentication works but Authorization fails. I try to debug but nothing shows up (on PIX or ACS), but it does if I debug Authentication

  Make sure you have enable authentication ,
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authorization command TACACS LOCAL
  Incase it does not work pls get aaa config
  Regards,
  ~JG
  Do rate helpful posts

• Cisco 4948 issue 122-46.SG on AAA authorization

  I have faced a problem regarding AAA line:
  aaa authorization exec default group tacacs+ local
  if i add this line in my cisco 4948 switch running on 122-46.SG..  The next time i telnet to the switch i get an automatic restart of the switch and all configs are lost.
  IOS used:
  cat4500-ipbase-mz.122-46.SG.bin
  WS-C4948-10GE

  I think it is better to move the thread to the swtiching part. They may help you better.

• Aaa authorization config-commands

  Hello,
  Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.
  Thanks in advance,
  Regards,
  Mo

  This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.
  Cisco:
  Usage Guidelines
  If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
  After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
  Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
  Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.
  The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
  aaa new-model
  aaa authorization command 15 group tacacs+ none
  no aaa authorization config-commands
  http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

• AAA Authorization

  Im trying to configure AAA authentication using username xxxxx privililege 15 password xxxx. I would like it so users with privilege level 15 go straight to enable mode and users with prvilege level 1 will go straight to router> read only. Currently the conly commands I have typed in are username
  xxx privilege 15 password xxxx
  AAA new-model
  Do I need to configure anything else. I tried to put privilege level under int vty but then all users go to privilege mode. I only want to use AAA I do not want to have3 to setup a teacs or radius server. Thanks in advance.

  To use privilege levels you need to define authorization as well as authentication. The following should do the trick for you:
  username glenn privilege 15 password 0 cisco
  username fred privilege 1 password 0 cisco
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  Now if I login:
  > telnet 10.66.79.100
  User Access Verification
  Username: glenn
  Password:
  Router#sho priv
  Current privilege level is 15
  Router#q
  >
  >
  > telnet 10.66.79.100
  User Access Verification
  Username: fred
  Password:
  Router>sho priv
  Current privilege level is 1
  Router>q

• AAA Authorization help

  I have configured authentication for the outside users to connect to my servers using the following sample acl
  access-list 110 permit tcp any host 10.10.10.3 eq http
  access-list 110 permit tcp any host 10.10.10.4 eq http
  access-list 110 permit tcp any host 10.10.10.5 eq http
  aaa authentication match 110 outside TACACS+
  Now for authorizing them do i have to create another set of acls or can i just use the existing acls and write
  aaa authorization match 110 outside TACACS+
  Is there anything else i should do on the AAA-Server for authorization?
  Thanks
  Jason

  Hi Jason,
  You can use the same ACL for authorization. You will not have to do anything on ACS unless you need to push ACLs for the user.
  Regards,
  Vivek