Evening group,
What I have a TACACS server and the setup we are trying to achieve goes as
follows:
I want the LAN admins to have minimal control on there switches in there
area. We have
accomplished that one the vty ports. Here is the config:
Server
user=test
password=test12
service-shell
set priv-level=15
service=shell
default cmd=(permit/deny)And the commands we want are here.
prohibit cmd=x
cmd=y{
Switch
aaa new-model
aaa authentication login telnet group tacacs+ line none
aaa authorization exec privilege group tacacs+ none
aaa authorization commands 15 cmd group tacacs+ none
line con 0
exec-timeout 5 0
password 7 xxxxxxxxxxxxxxxxx
authorization commands 15 cmd
authorization exec privilege
login authentication telnet
transport input telnet
stopbits 1
line vty 0 4
exec-timeout 5 0
authorization commands 15 cmd
authorization exec privilege
login authentication telnet
transport input telnet
It works great for vty but not for console. I read somewhere about a hidden
authorization command for console but it is not working. Here is a debug.
xxxxxxxxxxx#debug aaa authorization
*Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1
*Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0
port=0 channel=0
*Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted
*Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
*Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
Failed attempts for console
*Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0
port=2 channel=0
*Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser=''
port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2'
list='privilege' service=EXEC
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test'
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd*
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege"
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+
(tacacs+)
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd*
*Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status =
PASS_ADD
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd*
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful
Passed attempts for console
I think my understanding of exec shell is what's hurting me. Any comments or
advice would be greatly appreciated.
SrA Ryan Newell
18th Communications Squadron
Infrastructure Engineer
CCNA, SCP
634-7999
[EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53602&t=53602
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
