Tacacs authorization and Priv levels

Hi
I'm strugling with TACACS+ and priv levels, and hoping someone out there can help me solve an issue.
So, in this enviroment we need the following:
Read-only users
Users with access to some configuration commands.
Okay, the TACACS configuration for the read-only users looks like this:
group = readonly-users {
   default service = deny
   cmd = show
      permit running-config
      permit interface
      permit privilege
      permit vlan
      deny .*
   service = exec
      priv-lvl = 15
# Note that priv lvl 15 has been set to allow the users to run the "show running-config", all other commands than the one mentioned is denied.
The TACACS configuration for the Users with configuration access looks like this.
group = restricted-user {
   default service = deny
   cmd = show
      permit interface
      permit vlan
      permit privilege
      deny .*
   service = exec
      priv-lvl = 7
And the following has been configured on the switches to allow further configurations, these commands we had to enable after I had made the previous read-only user in tacacs:
privilege interface level 7 switchport access vlan
privilege interface level 7 switchport mode access
privilege interface level 7 switchport voice vlan
privilege configure level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 show running-config
privilege exec level 7 write memory
It all worked just fine, the read-only users only had access to the commands configured in TACACS. But when I configured the users with configuration access and enter the privilege commands on the switch it stopped working.
Somehow the privilege commands on the switch applies to all privilege levels above lvl 7. Meaning that my read-only users with priv lvl 15, all commands exept show commands denied, they can suddenly enter priviledged exec mode because I allowed the priv lvl 7 users to enter it.
This does not make sense to me, because I've read on cisco's HP that when configuring privilege level commands on the equipment, you allow only that level to access the command, and not all above.
I hope someone can help me with this issue, and it should be solved in the TACACS configuration, because the TACACS server is controlling over 500 switches and routers. So it aint just a question of reconfiguring the switches, that would take the rest of 2011.
I hope you guys know the answer to this.
Thanks in advance.
Kind regards

Thanks for your answer.
Well when I started to configure this TACACS setup, I tried to create 2 profiles with privilege level 15 and just allow/deny the different commands. But the thing is that you cannot allow all commands in the TACACS configuration. For example, you cannot give a user privilege level 15 and deny all commands, but allow the user to configure VLANs on interfaces, and duplex settings which is what I want the users to be able to do.
That's why I needed to configure the commands to be accessable from privilege level 7 on the equipment.
If only I could create a profile with privilege level 15 and give the user access to the commands he needs, and only those from the TACACS configuration file, that would make it allot easier, but that just aint the way TACACS works, unfortunately.

Similar Messages

Cisco 300 support TACACS+ authorization and accounting

Hi All,
Can someone please confirm that does Cisco 300 switch supports tacacs authorization and accounting ? or just authentication ?
Kindly guide

Hello
Please review this - Cisco 300
res
Paul

SG300 tacacs authorization and accounting support

Hi All,
Can someone please confirm that does Cisco 300 switch supports tacacs authorization and accounting ? or just authentication ?
Kindly guide

Hello
Please review this - Cisco 300
res
Paul

Tacacs AAA and privilege level 7

I've setup a group on tacacs server called acsrestricted and mapped it to AD security group. I've set this group to privilege level 7 on tacacs server.
I need this group to view the "show run" config on a router. Privilege level 7 allows the user to use some other show commands but not "show run". How can i configure this on tacacs?

Michael
I am not sure that I am understanding your post correctly. As I understand it you have created a group for some users who would operate at privilege level 7. I gather that this works and that users in this group do authenticate and are assigned to privilege level 7. You say that some show commands are assigned to them but not the show run command. This would seem to be simple to solve - you make sure that show with a parameter of run is assigned to them. But there is something not simple that makes this not work. Part of the Cisco implementation of privilege levels is that in show run a user can not view any parameter that they do not have permission to change.
Perhaps it might work for your situation if you give those users access to show config. show config does not have the same restriction as show run.
HTH
Rick
Sent from Cisco Technical Support iPad App

ASDM and privilege level (using TACACS)

Hi experts,
Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
     On CLI:     perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
     On CLI:     lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
     On CLI:     lose enable access (same as config 2)
     On ASDM:     unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question:     Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
     On CLI:     acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
     On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.

Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
     --> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
     --> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
     --> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
     --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
     (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
     --> now I can't get admin access on ASDM: OK
     --> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks

TACACS Authorization of Web Interface on Aironet 1200 AP

I have the Aironet 1200 AP setup to authenticate and perform authorization for the CLI via TACACS. That is working fine.
However, the web interface is failing "ip http authentication". (Slight caveat - it works for a local user in the local AP DB - it does not work when it goes to CiscoSecure ACS to authenticate/authorize).
I can get to some pages (prompt and pass authentication), but certain pages (e.g. Services>>SNMP) where configuration steps are taken cause a second prompt is presented, username and password is provided, and it fails.
This is only evident from the output of a "debug ip http authentication"
What do I need to configure in ACS to make this work?
Relevant portion of config:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
no ip http server
ip http authentication aaa
ip http secure-server
Sep 7 13:40:59.885: HTTP AAA picking up console Login-Authentication List name: default
Sep 7 13:40:59.885: HTTP AAA picking up console Exec-Authorization List name: default
Sep 7 13:40:59.909: HTTP: Authentication failed for level 15
Sep 7 13:41:06.757: HTTP AAA picking up console Login-Authentication List name: default
Sep 7 13:41:06.757: HTTP AAA picking up console Exec-Authorization List name: default
Sep 7 13:41:06.780: HTTP: Authentication failed for level 15
This document appears to describe a scenario similar to mine, but is for http - not HTTPS:
Local Authentication for HTTP Server Users
http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac-win
Any ideas what I may be missing here?
Thanks,
Jeff

I found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:
CiscoSecure ACS:
Group Settings
Shell (exec)
Priv Level = 15
On the AP:
had to enable:
ip http authentication aaa login-authentication AP_Web (Named Method List)

Problem - acs command authorization and web access control

Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help !

RSA SecurID authentication and privilege level

Hello,
I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

Hello.
Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

AAA - exec priv levels

Hi,
The followings are from the Yusuf bible. I think some of you had read and configured all that labs, so I really hope it's just a simple question for you.
So, In Chap. 1 / Section 7.1:
"Configure two users: (user1) - with priv lvl 10, and user2 w/ priv. level 15. Configure such that user1 is able to sun the command show run only, and user2 is able to run all commands."
The solution is (- per the configs on cd):
privilege exec level 10 show run
privilege exec level 15 show
Prevously I thought that if you move the show command with any argument (here show run) to a specific level, than you move 'show run' and all show commands too to that specific level. In the abovementioned two lines, the second command overwrites the previous statement. It is true, that the show run command moves to priv lvl 10, but the next one moves all the show commands back to level 15.
Please correct me if I am wrong.
In fact I am far from being happy with that. My real question is:
Is it possible at all to solve the task with local command authorization? (If yes, how? :D)
Maybe I|m just blind to see something in the config - that's not the first time... :D
Thank you for your help!
Bests,
SubAa

Hi SubAa,
The 'privilege exec level 15 show' command is incorrect, it shouldn't be there. Remvoe it and it will work. I have added the correction to the errata list.
Thanks,
Yusuf

How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client and i propose two methode
1- Creation of Ztcode ZVL32N and do changes ABAP program level
2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

Restrict Authorization at Material level during production confirmation

Hi SAP Gurus,
I would like to ask if its possible to restrict authorization at Material Level during production confirmation.
Our scenario is we have SFG and FG which are handled by different group of people but it has the same Order Type. Now we want to restrict authorization such as one department can only confirm SFG and the other department can confirm FG only.
Is it possible to set authorization at material type or production scheduler level. IF not possible, is there other way except creation of new Order Type?
Thanks,
Raymond

Hi Raymond,
DO you mean I should create a customized table for this?
Yes
Are there no standard way?
As per my knowledge, you can control through production order type, so you need to create seprate order type for this
Thanks,
Sankaran

PM Organization Units Authorization on User Level

Hello experts,
Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
For example,
I would like to create the following Role (profile):
ZPM_AUT_EQM_EQUIPMENT_DISPLAY
This role should be able to display equipment from the Plant Maintenance module.
However our problem is, we would like to create authorization levels with organizational units for each user:
For example:
User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
We know we can create this authorization creating several roles, like:
ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
Is there a way to do this?
Thank you in advanced for your replies.
Best regards,
Fernando Montenegro

Hi ,
Could you share about your solution ? I think I have face the same problem as yours.

Organization Units Authorization on user level

Hello experts,
Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
For example,
I would like to create the following Role (profile):
ZFI_AP_REPORT_DISPLAY
This role should be able to display AP report from the Financial module.
However our problem is, we would like to create authorization levels with organizational units for each user:
For example:
User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
We know we can create this authorization creating several roles, like:
ZFI_AP_REPORT_DISPLAY_3201
ZFI_AP_REPORT_DISPLAY _3202
ZFI_AP_REPORT_DISPLAY_3203
but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
Is there a way to do this?
Thank you in advanced for your replies.
Christine Tseng

I agree with Jurjen. There is no point creating a "new" authorisation concept for a few transactions. If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend). By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

Edit Authorization at Entity Level

Problem: I am trying to Edit Authorization at entity level but my changes are not getting saved.
Discription:
I have use case that I want to make an entity read only for a role defined in my jazn.
To do so, I am opening my entity, and in struture window...on right clicking the entity name I get this option to Edit Authorization.
On Edit Authorization window, I get name of all the roles listed and options to select Read, Update and Delete in from of each Role.
When I select "Read" for the role I want only read access and close this Edit Authorization window...my changes are not getting saved.
Does anyone know why this is happening? Or any other way I can restrict users of a specific role to change the data for an entity.
Thanks
Vikas Kumar

Hi,
not sure what you mean by "changes are not saved". Are you saying they are physically not saved in that they don't show in the jazn-data.xml file ? If so, then this sounds odd and you should file a bug. If it is only that authorization is not enforced,have a look at this video as authorization on entities is a two step task
http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html
Frank

Authorization problem - Privilege level

Hi,
Again I'm having some problems with AAA authorization to assign the correct privilege level to the users on my RADIUS server (FreeRadius).
I am currently updating all routers to do this authorization and I'm having problems because one of them has version 12.0(30)S2, which does not use the same commands.
This is the AAA configuration that I have working on the other routers:
aaa new-model
aaa group server radius RADIUSSERVERS
aaa authentication login AAA group RADIUSSERVERS local enable none
aaa authentication login CONSOLE local
aaa authentication ppp default group radius local
aaa authorization exec AAA group RADIUSSERVERS local none
aaa authorization network default group radius local
aaa authorization network AAA group RADIUSSERVERS local none
aaa accounting exec AAA start-stop group RADIUSSERVERS
aaa accounting network default start-stop group radius
aaa accounting network AAA start-stop group RADIUSSERVERS
aaa session-id common
line vty 0 4
session-timeout 5000
access-class 99 in
exec-timeout 5000 0
password 7 x
authorization exec AAA
login authentication AAA
transport input telnet
line vty 5 15
session-timeout 5000
access-class 99 in
exec-timeout 5000 0
password 7 x
authorization exec AAA
login authentication AAA
transport input telnet
This is the one that does not work (version IOS 12.0(30)S2):
aaa new-model
aaa authentication fail-message ^C
aaa authentication password-prompt Passcode:
aaa authentication username-prompt UserID:
aaa authentication login AAA radius local enable none
aaa authentication login CONSOLE local
aaa authorization exec AAA radius local none
aaa authorization network default radius local
aaa authorization network AAA radius local none
radius-server host x.x.x.x auth-port 8812 acct-port 8813
radius-server retransmit 2
radius-server key 7 X
line vty 0 4
session-timeout 5
access-class 99 in
exec-timeout 5 0
password 7 x
authorization exec AAA
login authentication AAA
line vty 5 15
session-timeout 5
access-class 99 in
exec-timeout 5 0
password 7 x
authorization exec AAA
login authentication AAA
The radius server is configured to be the same, although I use the group command with the new version and "radius-server" with the older version.
Can anyone tell me what I'm doing wrong?
Thank you,
Paulo

Thanks. Looking at the debugs solved the problem.
I was so convinced that I had set the right privilege level on the server that I didn't even check it. It worked on the other routers because their commands were set to lower privilege levels.
That was the problem.
Thanks for everything and sorry for bugging you with such a simple problem.

Tacacs authorization and Priv levels

Similar Messages

Maybe you are looking for