AAA Authorization named authorization list
Ladies and Gents,
Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
Cisco.com extract below
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
My question is how do you define the Named Method List i.e. the none-default method list?
I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
Thanks in advance
David
Hi David,
An example of a named AAA list might look something like this:
aaa authorization exec TacExec group AAASrv local
In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
Below is a cut and paste from the AAA section on one of my devices:
aaa new-model
ip tacacs source-interface
tacacs-server host 10.x.x.x key 7
tacacs-server host 10.x.x.y key 7
aaa group server tacacs+ TacSrvGrp
server 10.x.x.x
server 10.x.x.y
aaa authentication login default local
aaa authentication login TacLogin group TacSrvGrp local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group TacSrvGrp local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group TacSrvGrp local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group TacSrvGrp local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group TacSrvGrp local
aaa accounting exec default start-stop group TacSrvGrp
aaa accounting commands 15 default start-stop group TacSrvGrp
aaa session-id common
Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 15 0
authorization commands 0 TacCommands0
authorization commands 1 TacCommands1
authorization commands 15 TacCommands15
authorization exec TacAuth
login authentication TacLogin
transport input ssh
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
Hope this helps!
Similar Messages
-
AAA issue ( command authorization failed)
I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
endBased on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick -
Configuring aaa local command authorization
i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..
Hi,
For aaa authorization command set.Kindly refer to link.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
I hope this help.Please rate this post.
cheers
Sachin -
my ipod is not synching. i plug in usb cable and it asks for id and password. i enter these and it then asks if i want to authorize, dont authorize or cancel. I click autorize it says synching ipod. then comes up that this computer is 2 of 5 that is authorized. However it is not updating any new playlists or purchasded material. I dont want to click dont authorize as I'm afraid I will lose music
Delete them from your library including files, the go to the iTunes Store and select "Purchased" from the Quick Links side bar on the right. Go through all the tabs to download again for free
-
Where we check the authorization group & authorization object?
Hi all,
i have a std program & tcode like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
help me.
thanks.
VipinHi,
Use transaction SU21 & SU22 for Auth Objects & Class -
Convert named access list to line numbers
I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
Thank you!Hi Emily,
I guess this is what you are looking for. I have not tried it my self but would like to test it out.
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard | extended} access-list-name
5. sequence-number permit source source-wildcard
or
sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. sequence-number deny source source-wildcard
or
sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
This link should help :
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
regards,
-amit singh -
ASDM versus CLI - named access-list etc
I'm a CLI junkie now using ASDM v5.2(3) on ASA55x0. Where are the named access-lists I'm used to working with in PIX 6.3(x) CLI? I want to continue to create my named access-lists so I and my colleagues can continue to use our standard templates for configuration tasks. I'm not interested in the ones created automatically such as "access-list in_out-back_forth-UpDown-interfaceSomeWhere0.1". These only confuse my staff when trynig to complete config tasks.
Adam - yes you are correct - strange that they have to be accessed via Split Tunnel Network List, but so be it. I can now create a named ACL with our standardized names, but how do I reference it by name later when applying to some policy?
Typically one might have:
access-list AllowInbound
permit icmp any interface outside echo-reply
permit icmp any interface outside unreachable
permit icmp any interface outside time-exceeded
access-group AllowInbound in interface outside
Thx - Phil -
have have tried on 2 routers. 1803, and 2600 to use named access list, by typing access-list "extended" name, it will nto let me type this in, is there any reason why it wont let me do this ?
Carl,
The command is
(config)#ip access-list extended [word] -
Authorization to save lists in local files
Hi,
How to authorize a user to download (with the right click menu or Shift + F8) to save list in local file ?
Thank in advance
Best regardshm.
try object:
S_DATASET
with values
PROGRAM=SAPLSWT1
ACTVT=34
FILENAME=*
Edited by: Mylene Euridice Dorias on Sep 30, 2009 1:36 PM
when trying to download to Excel, an additional object occured: S_GUI with activity 04, 60 and 61 -
AAA authentication and authorization question
Hi Everyone,
I have a situation that is driving me crazy.
I am using Cisco Freeware TACACS running on RedHat
Enterprise Linux 3. I've modified the source code
so that I can assign each individual users his/her
own enable password. So far so good.
I create two groups: group_A and group_S. group_A
is for advanced users and group_S is for super
users. Users that belong to group_A can have
privilege level 15 but there are certain commands
that they can not perform such as "write mem"
or "reload". users that belong to group_S can do
EVERYTHING.
Here is my configuration on the TACACS configuration
file:
user = xyz {
member = admin
name = "User X"
login = des 6.z8oIm9UGHo
user = $xyz$ {
member = admin
name = "User X"
login = des c2bUC43cmsac.
user = abc {
member = advanced
name = "User abc"
login = cleartext "cisco123"
user = $abc$ {
member = advanced
name = "User abc"
login = cleartext "cisco123"
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
group = admin {
default service = permit
configuration of the router:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa session-id common
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
However, what I would like to do is to assign users
in group_A the ability to go into "configuration t"
but I do NOT want them to have the ability to peform
"no tacacs-server host x.x.x.x key cisco". Furthermore,
I would like to do everything via TACACS, I don't
want configure "privilege level" on the router itself.
Is that possible? Thanks.
DavidCommand Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html -
Delete authorization for distribution list
Hi,
In our system all the distribution lists suddenly deleted and it was in the shared trash folder.
so we retrived from the folder.
To restrict the delete authorization of users for distribution lists in the object S_OC_ROLE field OFFADMI ' Administrator' has been changed to ' '. But they were not able to create the the distribution list in the shared folder. they are able to create only in their private folder.
Is there any way to restrict the delete authorization alone.
Thanks,
SuganyaHi Stef,
Please try to add this authorisation object manually F_BKPF_BUK- Authorisation object for company code.
In the filed BUKRS you can maintain the company code as you required for the users.
I hope this may help you in resolving the issue.
Thanks
Karthick -
Authorization relevant objects list
Hello BI experts,
I need to find out the Authorization relavant infobjects in the system. How can i do it. Is there a table where i can find this data or any transactin
Thanks in advance
BWerhi BWER,
You want to see the authorisation relevent objects for perticuler system right.
1. Go to RSSM tr code
2.click the radio button Authorizations for several users there u have to enter ur lon-in Id name
3.right hand side 1 spects symbol is there for disply-- click on it.
It will show u all authorisation Infoobjects for u.
Thanks & Regards,
kiran -
Customizing authorization in task list
I have some issue to configure the task list (tx SCMA) because the system landscape is maintained by two different administrator teams ( one for dev and qualification system and another for the production )
Iu2019d like to have two different view on the same task list : one have access to all system and the other one with the production system only
Is it possible ?It looks like the fields Project Manager and Approver Manager are Person type fields. These fields are not listed in List validation column settings. An alternative for you is to override SharePoint JavaScript function "PreSaveAction". You can
use JavaScript code to comapre the values in these two fields and perform validation.
Blog | SharePoint Learnings CodePlex Tools |
Export Version History To Excel |
Autocomplete Lookup Field -
HR Authorization : Custom Authorization Object for P_ORGIN
Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN objectOnline Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a> -
Running ADE 2.0.1.78765 on Windows 7 Pro ...
I can download ePUB and PDF files from my university library just fine;EPUB books workin just fine, but the PDF files are completely blank EXCEPT for the contents list.
The files are, by their size, clearly not blank ... there must be some security feature stopping me from reading them.
Also, when I click Authorize Computer or Authorization Info. nothing happens.
Same as when I press Ctrl+Shift+U or Ctrl+Shift+I.
Help!!!Thanks for those tips.
I have downloaded and installed the latest version and chosen to 'authorize' an Adobe ID.
Behaviour remains the same. The ePUB version of the book downloads and works just fine; the PDF downloads and is blank aside from the contents pane.
The reason I want the PDF to work is because it is paginated as per the hard copy book; the ePUB's pagination is variable and so useless for referencing.
I see a lot of people have similar issues, invariably unsolved, so yet another pothole on the great Information Super Highway! Sigh.
Maybe you are looking for
-
Unable to populate the G/L account text ( description ) in drill down repor
Hi We have developed the trial balance drill down report from FAGLFLEXT table under 0FL library for company code wise. The charecters are period,fiscal year & Version and the key figures are HSL ( GLT0 table ). We are getting only the GL account num
-
Undo the "Erase iPhone" action in Find My iPhone
My iPhone was stolen. Without even thinking about it I went to my computer, logged in to icloud.com and clicked to erase my iPhone in Find My iPhone. The service couldn't locate it because it was offline and it still is. But then I read that once my
-
Pdf import: making bkg NOT transparent
I'm trying to place pdf pages in Keynote and parts of them are coming up transparent (most were created in Quark or Illustrator). Is there a way in Keynote to set the bkg color to white for the placed graphic? I know we can paste a white block or pag
-
Macbook Pro 2010 froze, now won't boot.
Hey all, I have a Macbook Pro that i got in 2010. It has been a great machine. I have done a couple of upgrades on the ram and hard drive. For a while there were not any problems. But last week my computer froze up, app by app, till the whole comp
-
hI FRIENDS, i HAVE TO CREATE ONE SMART FORM WITH DRIVER PROGRAM FOR s (sTORAGE UNIT ) . CAN YOU HELP ME TO KNOW WHAT IS THE TCODE , OUTPUT TYPE, APPLICATION FOR THE sU PRINT ? pLEASE INFORM ME THE MASTER TABLES FOR sUAS WELL . tHANKS IN ADVANCE .