Privilege level with ACS
I am trying to configure a group of users to get read only access onto our equipement ( switches and routers) and specifically show run or show start. i set the command set to permit those 2 commands and i created a rule for that group but it does work as desired.
any ideas? Thank you.
There are a couple of ways that you can accomplish what you are looking to do. What you need to remember is that when showing the running-config you can only see what you have authorization to configure so just allowing a RO user to execute the show run command isn't going to show them much.
One thing you could do is to lower the privilege level required to run the "show configuration" command. The command is "privilege exec level 1 show configuration" and would need to be applied to all your devices. This would allow privilege level 1 users to view the startup-config but not the running-config.
Since you are running ACS another solution would be to create a rule to permit these RO users to login and actually authorize at level 15 which by default allows one to configure everything (remember to be able see it in the running-config you must be authorized to configure it). Then create a limited command set that only allows the commands they need to use.
Hope this helps,
Greg
Similar Messages
-
PRIVILEGE LEVELS FOR ACS WITH AD DATABASE
How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.
Hi ,
If you are using TACACS ,
Bring users/groups in at level needed
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field
If you are using RADIUS,
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host X.X.X.X key XXXX
Following is the configuration required in the Radius Server
The AV pair in the ACS -->group setup--> IETF RADIUS Attributes
[006] Service-Type = Login
/* Following is for getting the user straight in privledge mode */ to set priv 15
The AV pair in Cisco IOS/PIX RADIUS Attributes
[009\001] cisco-av-pair = shell:priv-lvl=15
For more information on above commands, please refer to the following link :-
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/fsaaa/index.htm
Please try the above and let me know if this helps.
Thanks -
How to Assign Privilege Levels with CiscoSecure ACS TACACS+
how to assign privilege level to a user in secure ACS TACACS+ user exist in external database
Regards,
BilalHi Bilal,
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts -
Enabling Privilege Levels when ACS is Down
Hi,
I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.
adminro is read only and will have a privilege level of 7.
adminrw is a full access account with a priv level of 15.
I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:
PPD-ELPUF5/pri/act> en 7
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.
If I login using "enable", my read only account now has full configuration access which is not desireable.
My AAA configuration is as follows:
aaa authentication ssh console ADMIN LOCAL
aaa authentication enable console ADMIN LOCAL
aaa authentication http console ADMIN LOCAL
aaa authentication telnet console ADMIN LOCAL
aaa authentication serial console ADMIN LOCAL
aaa authorization command ADMIN LOCAL
aaa accounting ssh console ADMIN
aaa accounting command privilege 15 ADMIN
aaa accounting enable console ADMIN
aaa accounting serial console ADMIN
aaa accounting telnet console ADMIN
aaa authorization exec authentication-server
username adminro password <REMOVED> encrypted privilege 7
username adminrw password <REMOVED> encrypted privilege 15
enable password <REMOVED> level 7 encrypted
enable password <REMOVED> encrypted
Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).
Thanks!PPD-ELPUF5/pri/act# sh curpriv
Username : adminro
Current privilege level : 7
Current Mode/s : P_PRIV
Server Group: ADMIN
Server Protocol: tacacs+
Server Address: 1.150.1.80
Server port: 49
Server status: FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011
Number of pending requests 0
Average round trip time 2ms
Number of authentication requests 38
Number of authorization requests 373
Number of accounting requests 149
Number of retransmissions 0
Number of accepts 307
Number of rejects 19
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 234
Number of unrecognized responses 0
PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE
PPD-ELPUF5/pri/act(config)# sh run name
name 1.1.1.1 TEST description TEST CHANGE
As you can see above, my user was able to perform a change even though it should not be allowed.
PPD-ELPUF5/pri/act(config)# sh run privilege
privilege cmd level 7 mode exec command show
privilege cmd level 7 mode exec command ping
privilege cmd level 7 mode exec command traceroute -
ACS with RSA for privilege level 'enable' authentication
Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
Are there any tricks to this?
Thanks in advance!David
Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
HTH
Rick -
Setting privilege level for logging into ASA through ACS
Hi!,
In my environment i implemented AAA for logging into switches, routers, asa etc through ACS which is being configured TACACS+.
I have set different privilege levels like readonly, readwrite etc into ACS. There are working fine when i try to login into switch or router.
But in ASA i am unable to restrict the privilege levels of different users.
Can someone plz guide me with ASA & ACS setting to solve this issue!!!!!Hi!!
I tried this option. It is working fine with routers & switches. But for ASA privilege access it is not functioning.
I created 3 profiles in "Shared Profiles" & added 1 of them in Group setting & added users to this group with mentioning group authentication. This way i am able to control access to the switches & routers with proper privilege. But the same way when i tried to impolement ASA it's not happening.
Can u plz check it out... -
Username with privilege level 15 bypass enable
Hi experts,
I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
AAA has to be enabled because I'm using it for 802.1x as well.
The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
aaa new-model
username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
line vty 0 5
access-class 100 in
exec-timeout 30 0
logging synchronous
transport input ssh
And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
Thanks!Hi,
The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
In case you want it for users who are trying to login to via ssh or telnet use the following:
EXEC AUTHORIZATION
Router
router(config)#aaa authorization exec TEL GRoup radius local
router(config)#line vty 0 15
router(config-line)#authorization exec TEL
ACS
Interface configuration
Check user & group for cisco av-pair.
User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
OR
Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
In case of radius if exec authorization is enabled and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled or enable password is defined on the router then we can go to enable mode by typing en or en
Regards,
Anisha
P.S.: please mark this thread as resolved if you think your query is answered. -
Not able to login with privilege levels
Hi,
i have created privilege levels in cisco switch especially level 7 if i login with that username and password ,after typing privilege mode password it is going to level 15.... what is the problem ........
commnads i configured is :
# username cisco level 7 password cisco
#enable secret cisco
............please help me where i have gone wrongHi, What model/IOS version that you use?
Rating useful replies is more useful than saying "Thank you" -
AAA Local with Privilege Levels
The goal....
1. local usernames on a router to control access
2. Use privilege levels in the username command to reflect what a user is allowed to do
3. Define a set of commands available to users with privilege level 1
My trouble here is that I cannot seem to find this exact combination of commands for what I want to do on CCO or Google. I have tried several combinations and here is what I have so far, but its not working.
aaa new-model
aaa authentication login default local
aaa authorization commands 1 default local
username engineer priv 15 pass XXXX
username tech priv 1 pass XXXX
privilege exec level 1 traceroute
â¨privilege exec level 1 pingHi,
This link answers your question.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
aaa authori command is not reqd.
Regards,
~JG
Do rate helpful posts -
RSA SecurID authentication and privilege level
Hello,
I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!Hello.
Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps. -
ASDM and privilege level (using TACACS)
Hi experts,
Initial question: How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
On CLI: perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
On CLI: lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question: Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
On CLI: lose enable access (same as config 2)
On ASDM: unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question: Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
On CLI: acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
On ASDM: unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
--> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
--> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
--> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
--> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
(ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
--> now I can't get admin access on ASDM: OK
--> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks -
Create a privilege level that only allows access to show commands
Hi,
I would like to create a privilege level that would only give access to the show commands for certain users. What would be the best way to do this?
Would I have to use the privilege mode level level command for every available show command or is there a more efficient way of doing this?
In addition, could we manage such a privilege level from a Radius Server.
Thanks for your help
StéphaneWell, I think the best way to achive this is to use TACACS with command authorization feature.
Configuration on the tacacs server ( only for show commands, read only access)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1
tacacs-server key cisco123
These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1
aaa authorization command authserver
However, if you strictly want to use radius server then please try the below listed attribute for a single user or group.
Service-Type = NAS Prompt
http://www.ietf.org/assignments/radius-types/radius-types.xml#radius-types-4
This might not work for ASDM.
HTH
Regards,
Jatin
Do rate helpful posts- -
Ise and switch authentication and privilege level
Hi Guys,
I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
I appreciate any help!
Sander@Sander,
You were in the right area.
Policy->Results->Authorization->Authorization Profiles.
Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
Cisco:cisco-av-pair = shell:priv-lvl=15
or whatever privilege level you want to assign.
On your AuthZ rule, match the conditions and apply the created profile. -
Assigning privilege level using Radius
I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
I've configured the router as below:
aaa authentication login vtymethod group radius enable
aaa authorization exec vtymethod group radius local
radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
line vty 0 4
authorization exec vtymethod
login authentication vtymethod
On the Radius, I've configured as below:
In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
Is there something I'm missing.
Appreciate the help.
Thanks.
sweeannHi
Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
Given that ACS supports both and that T+ is a superior protocol for device admin.
I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue! -
I am trying to lock down my switches for my junior network engineers and have run into a problem for my sites without Radius/Tacacs.
I would like to set a privilege level that only allows admins to configure interfaces, ip access list, and show commands.
With ACS I set the commands I allow per user, but with no ACS it seems I must enter lots of extra lines.
ie. (on a 3750 c3750-advipservicesk9-mz.122-25.SEE1.bin)
privilege configure level 5 interface
privilege exec level 5 configure
I would expect this to allow me as a level 5 user to go to config mode and then perform any interface command.
instead:
SwitchB-3750#sho priv
Current privilege level is 5
SwitchB-3750#config t
^
% Invalid input detected at '^' marker.
SwitchB-3750#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB-3750(config)#interface fa1/0/1
SwitchB-3750(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
no Negate a command or set its defaults
SwitchB-3750(config-if)#
If I then enter:
SwitchB-3750(config)#privilege interface level 5 i
I can then do anything with an "i"
SwitchB-3750(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
I want them to be able to do anything. Am I missing a critical part?
Thank you,
Brant HaleOk, just to make sure I am 100%
If I wanted to give a user the ability to
(config)#interface fa1/0/1
(config-if)#switchport mode access
privilege interface level 5 switchport mode access
privilege configure level 5 interface
privilege exec level 5 configure
If I want to give them all the options then I need to do something like this:
privilege interface level 5 a
privilege interface level 5 b
privilege interface level 5 c
privilege interface level 5 d
privilege interface level 5 e
privilege interface level 5 f
privilege interface level 5 g
Are there no wildcards? I want to be able to do the following-
privilege interface level 5 *
or
privilege interface all level 5
No chance?
Thanks for the reply.
Maybe you are looking for
-
Need some help in creation of a VM image
Hi, we have been tasked with the creation of a VM image which has WebLogic Server, Coherence, Oracle Database XE etc. And I am a newbie to it Do you have any tips to help me get started?? Thanks and regards Anil
-
Transfer of material to material with excise duties
Hi, We are importing material and as per std. procedure while invoice we are passing the duties we we have paid while purchasing of material. Now we have one requirement that we have two material code ABC which is old code and XYZ is new co
-
this one...Need help on a jsp
is there a way to grab the selected value from a "drop-down menu' and use it in a query statement? here's my code: <label for="weatherStat">State:</label> <select name="weatherStat" id="States"> <% try { Connec
-
Orphan table header at bottom of page when page breaks a table across multiple pages
Hi all, I think similar questions have been asked before but I have not found an answer. Here's the scenario: I have several dynamic tables in a dynamic form. The layout is flowed, and everything can grow and shrink as needed. That all works. Howev
-
[SOLVED] Install Gnome DE without Pulse Audio?
I currently have XFCE4, E17 and Fluxbox installed. I was thinking about installing Gnome DE. But I have alsa set up nicely and I do NOT want pulseaudio (Pulseaudio seems to be nothing but headaches for me.) So is there a way through pacman that I can