Options

Shell Command Authorization Sets ACS

gouki2005gouki2005 Member Posts: 197
Hi i am battling with this since yesterday i can login with my database in the acs server but authorization is another story i want group users have just a few commands not all commands to use heres my config i am using just one router without acl or any other security device just routing and the aaa

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
tacacs-server host 192.168.20.2 key cisco
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
!
!
end

i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands

heres my share profile

name

admin jr

Description
for jr admin

unmatched commands
()permit (x)deny
permint unmatched args()

enable
show

permit version<cr>
permit runnig-config<cr>


then i add this profifle to group 2 and then i add my user to the group 2

then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?

yeah if you a working authorization config with acs please post it i need a example because i cant find a good guide and i already try cisco documentation/forums without luck
i try this guide step by step and nothing http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Comments

  • Options
    gouki2005gouki2005 Member Posts: 197
    still not working icon_cry.gif you know i dont understand the authorization because with authentification you creates a method and then you add that method too for example console and you know it will work only when you access via console but with authorization


    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local


    4 lines for the same method...i dont understand maybe here is my problem but i dont know
  • Options
    ninz19ninz19 Registered Users Posts: 1 ■□□□□□□□□□
    Hi,

    What is the ACS version you are using?

    try:

    permit ^version
    permit ^running-configuration
Sign In or Register to comment.