Cisco 4948 issue 122-46.SG on AAA authorization
I have faced a problem regarding AAA line:
aaa authorization exec default group tacacs+ local
if i add this line in my cisco 4948 switch running on 122-46.SG.. The next time i telnet to the switch i get an automatic restart of the switch and all configs are lost.
IOS used:
cat4500-ipbase-mz.122-46.SG.bin
WS-C4948-10GE
I think it is better to move the thread to the swtiching part. They may help you better.
Similar Messages
-
Hi All,
I've got an issue when adding a device to ACS.When I try to login to the device after adding it to the ACS, it does'nt prompt me to enter my tacacs username and password, instead it prompts me to enter the tacacs username/password details when I try to get into the enable mode. Also, once I am in the enable mode, I cant execute any commands as shown below:
Router01#debug aaa authentication
Command authorization failed.
^
% Invalid input detected at '^' marker.
Router01#sh run
Command authorization failed.
% Incomplete command.
The aaa config is as listed below:
aaa authentication login default group TACACS-GROUP enable
aaa authentication enable default group TACACS-GROUP enable
aaa authentication ppp default local
aaa authorization commands 1 default group TACACS-GROUP if-authenticated
aaa authorization commands 15 default group TACACS-GROUP if-authenticated
aaa accounting commands 1 default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
Everything works fine once I remove the device from ACS. How do I get over this issue? Any advice would be much appreciated.
Regards,
PVPV,
The reason you are not able to issue any command is because, you have command authorization enabled on Router.
It seems that you don't want that. You need to remove these commands,
no aaa authorization commands 1 default group TACACS-GROUP if-authenticated
no aaa authorization commands 15 default group TACACS-GROUP if-authenticated
These commands are used to authorize what all command user can issue.
Please see this link, it explain about setting up command authorization using acs,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
we have 1 cisco 4948 switch ,in that switch last 4 port is not coming up means 45,46,47,48.we tried no shut command but its not showing up and in sh inventory raw data thsere is not showing sfp ports.
please help me get solution for this port.
reply me ASAPHi,
First of all set your switch to factory default settings.
Then reboot switch and give command of "show vlan brief".
If still these 4 port don't display, then it means these 4 ports are damaged on board.
If you need need any further technical assistance or require Network Services, feel free to contact me at my Skype ID. My Skype ID: steve.odsi -
No "list-name" option availbale for aaa authorization command.
I have a 1721 router running 122-15.T14 and want to implement authorization but the router does not provide command option for list name.
I want to implement the following command:
"aaa authorization network groupauthor group radius"
but the only option is default after "network".
Router#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 27-Aug-04 23:26 by cmong
Image text-base: 0x80008120, data-base: 0x80F731A0
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
Router uptime is 5 minutes
System returned to ROM by reload
System image file is "flash:c1700-k9sy7-mz.122-15.T14.bin"
cisco 1721 (MPC860P) processor (revision 0x400) with 56844K/8692K bytes of memory.
Processor board ID FOC08302CF6 (610086355), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router(config)#aaa authorization network ?
default The default authorization list.
Router(config)#aaa authorization networkI think that your issue is version related. I have a customer who is running a bunch of 1721 routers and when I do aaa authorization network ?
I get both default and the option to name a list.
I checked with the Software Advisor on CCO and it looks to me like the named-list feature was added in 12.3. As long as you are running 12.2 I do not think you will have the option for a named-list for network authorization.
HTH
Rick -
AAA Authorization with RADIUS and RSA SecurID Authentication Manager
Hi there.
I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not. Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
#aaa new-model
#radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
#aaa authentication login default group radius enable
#aaa authorization exec default group radius local
I have also tried
#aaa authorization exec default group radius if-authenticated local
I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
I've turned on RADIUS debugging on the IOS device, and I dont get anything either
I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis." -- not sure if this is related to my issue?
I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurIDI don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine. -
AAA Authorization named authorization list
Ladies and Gents,
Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
Cisco.com extract below
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
My question is how do you define the Named Method List i.e. the none-default method list?
I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
Thanks in advance
DavidHi David,
An example of a named AAA list might look something like this:
aaa authorization exec TacExec group AAASrv local
In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
Below is a cut and paste from the AAA section on one of my devices:
aaa new-model
ip tacacs source-interface
tacacs-server host 10.x.x.x key 7
tacacs-server host 10.x.x.y key 7
aaa group server tacacs+ TacSrvGrp
server 10.x.x.x
server 10.x.x.y
aaa authentication login default local
aaa authentication login TacLogin group TacSrvGrp local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group TacSrvGrp local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group TacSrvGrp local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group TacSrvGrp local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group TacSrvGrp local
aaa accounting exec default start-stop group TacSrvGrp
aaa accounting commands 15 default start-stop group TacSrvGrp
aaa session-id common
Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 15 0
authorization commands 0 TacCommands0
authorization commands 1 TacCommands1
authorization commands 15 TacCommands15
authorization exec TacAuth
login authentication TacLogin
transport input ssh
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
Hope this helps! -
Command execution get very slow when AAA Authorization enable on ASR 1006
Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it take time to move to next command level) ...
These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
Did any one face such issue , and how it is fix ...
See the Show version for ASR
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 23:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
System returned to ROM by reload
System restarted at 17:47:32 IST Thu Oct 4 2012
System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
Last reload reason: EHSA standby down
AAA Commands on ASR 1006
aaa new-model
aaa group server tacacs+ tacgroup
server 10.48.128.10
server 10.72.160.10
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
aaa authentication login default group tacgroup local
aaa authentication enable default group tacgroup enable
aaa accounting exec default start-stop group tacgroup
aaa accounting commands 1 default start-stop group tacgroup
aaa accounting commands 15 default start-stop group tacgroup
aaa accounting connection default start-stop group tacgroup
aaa accounting system default start-stop group tacgroup
aaa authorization commands 0 default group tacgroup none
aaa authorization commands 1 default group tacgroup none
aaa authorization commands 15 default group tacgroup none
aaa session-id common
tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
tacacs-server key 7 053B071C325B411B1D25464058I think your issue maybe related to your tacacs server. If you re-order the two servers (typically a 5 second timer before failover occurs) and see if that improves your performance:
You can try to debug the issue by referring to the command reference guide....i.e. debug tacacs...you can also try to telnet to both ip address to port 49 to see if the connection opens, in order to rule out issues where a firewall or routing to one of the tacacs servers is failing. I also noticed you have the shared secret and tacacs server defined for one of the servers, is the sam present for the other server that is in the server group?
server 10.48.128.10
server 10.72.160.10
to
server 10.72.160.10
server 10.48.128.10
Thanks,
Tarik Admani
*Please rate helpful posts* -
Hi,
i have the following config :
aaa new-model
aaa authentication login NO_LOGIN none
aaa authentication login ADMINS group radius local
aaa authentication login CONSOLE group radius local
aaa authorization exec NO_AUTHOR none
aaa authorization exec ADMINS group radius local
aaa authorization exec CONSOLE group radius local
enable secret cisco
username cisco privilage 15 secret cisco
line con 0
password 7 05080F1C2243
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
password 7 045802150C2E0C
authorization exec ADMINS
logging synchronous
login authentication ADMINS
line vty 5 15
password 7 060506324F41
authorization exec ADMINS
logging synchronous
login authentication ADMINS
When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.
when issuing the command # aaa authorization console (using telnet from other switch)
the problem is solved.
Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.
command refrence
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046
Jatin Katyal
- Do rate helpful posts - -
Aaa authorization subscriber-service default group
Dear All
I am configuring Broadband RAS over PPPoe on Cisco 7206 ( IOS 12.2(33) SRD).
some commands i am not able to run like
aaa authorization subscriber-service default group AAA-SERVERS
aaa server radius sesm
scenario is like this
END User-> Broadband RAS->(Management software with DHCP server)-> Bandwidth manager-> core Router -> Internet
Broadband RAS will manage All internet user with the help of management software.
please help me
vikasHi
The Output that you post System image file is "disk2:c7200p-ipbase-mz.124-15.T9.bin" not support this feature.
The Below IOS Support the AAA Authorization and Authentication Cache , AAA server group & These are IPBase W/O Crypto
15.0(1)M2
c7200-ipbase-mz.150-1.M2.bin
512
64
15.0(1)M1
c7200-ipbase-mz.150-1.M1.bin
512
64
15.0(1)M
c7200-ipbase-mz.150-1.M.bin
512
64
12.2(33)SRE1
c7200-ipbase-mz.122-33.SRE1.bin
512
64
12.2(33)SRE
c7200-ipbase-mz.122-33.SRE.bin
512
64
12.2(33)SRD4
c7200-ipbase-mz.122-33.SRD4.bin
128
64
12.2(33)SRD3
c7200-ipbase-mz.122-33.SRD3.bin
128
64
12.2(33)SRD2a
c7200-ipbase-mz.122-33.SRD2a.bin
128
64
12.2(33)SRD2
c7200-ipbase-mz.122-33.SRD2.bin
128
64
12.2(33)SRD1
c7200-ipbase-mz.122-33.SRD1.bin
128
64
12.2(33)SRD
c7200-ipbase-mz.122-33.SRD.bin
128
64
12.2(33)SRC6
c7200-ipbase-mz.122-33.SRC6.bin
128
64
12.2(33)SRC5
c7200-ipbase-mz.122-33.SRC5.bin
128
64
12.2(33)SRC4
c7200-ipbase-mz.122-33.SRC4.bin
128
64
12.2(33)SRC3
c7200-ipbase-mz.122-33.SRC3.bin
128
64
12.2(33)SRC2
c7200-ipbase-mz.122-33.SRC2.bin
128
64
12.2(33)SRC1
c7200-ipbase-mz.122-33.SRC1.bin
128
64
12.2(33)SRC
c7200-ipbase-mz.122-33.SRC.bin
128
64
Regards
Chetan Kumar -
Command confusion - aaa authorization config-commands
I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
>> Shell Command Authorization Sets
Name: Restricted_Voice
Description: Configure port voice vlan only.
Unmatched Commands: Deny
Add: enable
Add: configure / permit terminal <cr>
Add: interface / permit Gi*
Add: interface / permit Fa*
Add: switchport / permit voice vlan *
My switch configuration has the following aaa authorization related lines:
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
I went and read up the command reference for "aaa authorization config-commands" in
http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me. I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?Hi Axa,
I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
The below is taken from cisco.com and explains that you should not require the
aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
From Cisco.com (I have underlined the key points)
aaa authorization config-commands
To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
aaa authorization config-commands
no aaa authorization config-commands
Syntax Description
This command has no arguments or keywords.
Defaults
After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
Usage Guidelines
If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
Examples
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands -
AAA authorization fails, but still command is executed...
Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec 7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec 7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec 7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec 7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec 7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
TomHi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert -
AAA Authorization Using Local Database
Hi Guys,
I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.For allowing limited read only access , use this example,
We need these commands on the switch
Switch(config)#do sh run | in priv
username admin privilege 15 password 0 cisco123!
username test privilege 0 password 0 cisco
privilege exec level 0 show ip interface brief
privilege exec level 0 show ip interface
privilege exec level 0 show interface
privilege exec level 0 show switch
No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
User Access Verification
Username: test
Password:
Switch>show ?
diagnostic Show command for diagnostic
flash1: display information about flash1: file system
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
switch show information about the stack ring
Switch>show switch
Switch/Stack Mac Address : 0015.f9c1.ca80
H/W Current
Switch# Role Mac Address Priority Version State
*1 Master 0015.f9c1.ca80 1 0 Ready
Switch>show run
^
% Invalid input detected at '^' marker.
Switch>show aaa server
^
% Invalid input detected at '^' marker.
Switch>show inter
Switch>show interfaces
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
Internet address is 192.168.26.3/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Switch>
Please check this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts -
How to map this command from IOS to FWSM ?
I want user when login and authenticated, it right way go direct to exec mode. No problem at IOS but , not sure how to configure it on FWSM or PIX Firewall.
aaa authentication enable default enable none
aaa authorization exec default group tacacs+ if-authenticatedThe configuration on the FWSM for AAA will be same as would be on a normal PIX. The documents have more details about the same.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/mngacl.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmdqref.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm -
AAA authorization and accounting
Hello everyone.
I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
1) aaa authorization exec and aaa authorization command option.
2) aaa accounting exec and aaa accounting command option.
Many thanks.
Sent from Cisco Technical Support Android AppHello,
1) aaa authorization exec and aaa authorization command option.
The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.
The second one authorizes the different commands a user can type and send to the device
2) aaa accounting exec and aaa accounting command option.
The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)
Second one sends an accounting message per each command send to the box
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura -
Aaa authorization with Tacacs+
Hello All,
I am trying to figure out how aaa authorization with tacacs+ works.
I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
I am totally freaked out...The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
Cisco has a pretty thorough configuration example posted here.
Maybe you are looking for
-
VerifyError trying intantiate the oracles TransformerFactory for XSL
Hi, When I try intantiating the Oracle4s TransformerFactory, I obtain a verifyError, next is the error message. (class: oracle/xml/jaxp/JXSAXTransformerFactory, method: reportConfigException signature: (Ljava/lang/Exception;IILjavax/xml/transform/Sou
-
How do I connect 7th generation Nano to miniboom speaker?
How do I connect 7th generation ipod Nano to Mini Boom speaker bought at Apple store?
-
Can I make a search rule in Aperture?
I'm using Aperture 3, and fairly familiar with it but trying to organize a library from scratch. I want to organize projects into folders by year and then event (e.g. 2012 --> Trip to Chicago, Baby Baptism, etc.). I already have photos organized by
-
Cant remember iCloud account password???
OK so... My boyfriend and I share an iPad. My Apple ID is currently being used for most things on the iPad but my boyfriend made the iCloud account in his email so anyways now the guy can't remember the password, security question answer OR the passw
-
WIFI is connected but says no service
WiFi is connected but says no service