Re: Exec Shell + Console [7:53661]
9/19/2002 9:40pm Thursday
You could just tell your LAN admins not to change anything on the switches.
Newell Ryan D SrA 18 CS/SCBT wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Evening group,
What I have a TACACS server and the setup we are trying to achieve goes as
follows:
I want the LAN admins to have minimal control on there switches in there
area. We have
accomplished that one the vty ports. Here is the config:
Server
user=test
password=test12
service-shell
set priv-level=15
service=shell
default cmd=(permit/deny)And the commands we want are here.
prohibit cmd=x
cmd=y{
Switch
aaa new-model
aaa authentication login telnet group tacacs+ line none
aaa authorization exec privilege group tacacs+ none
aaa authorization commands 15 cmd group tacacs+ none
line con 0
exec-timeout 5 0
password 7 x
authorization commands 15 cmd
authorization exec privilege
login authentication telnet
transport input telnet
stopbits 1
line vty 0 4
exec-timeout 5 0
authorization commands 15 cmd
authorization exec privilege
login authentication telnet
transport input telnet
It works great for vty but not for console. I read somewhere about a
hidden
authorization command for console but it is not working. Here is a debug.
xxx#debug aaa authorization
*Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1
*Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
adapter=0
port=0 channel=0
*Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted
*Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
*Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
Failed attempts for console
*Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0
adapter=0
port=2 channel=0
*Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser=''
port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2'
list='privilege' service=EXEC
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test'
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd*
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list
privilege
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+
(tacacs+)
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd*
*Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status =
PASS_ADD
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd*
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful
Passed attempts for console
I think my understanding of exec shell is what's hurting me. Any comments
or
advice would be greatly appreciated.
Ryan
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53672t=53661
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Exec Shell + Console [7:53661]
That would be nice but we have over 400 switches any several LAN admins who
could t'shoot hubs
but know they need minimal configuration control for t'shooting.
-Original Message-
From: nettable_walker [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 11:37 AM
To: [EMAIL PROTECTED]
Subject: Re: Exec Shell + Console [7:53661]
9/19/2002 9:40pm Thursday
You could just tell your LAN admins not to change anything on the switches.
Newell Ryan D SrA 18 CS/SCBT wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Evening group,
What I have a TACACS server and the setup we are trying to achieve goes as
follows:
I want the LAN admins to have minimal control on there switches in there
area. We have
accomplished that one the vty ports. Here is the config:
Server
user=test
password=test12
service-shell
set priv-level=15
service=shell
default cmd=(permit/deny)And the commands we want are here.
prohibit cmd=x
cmd=y{
Switch
aaa new-model
aaa authentication login telnet group tacacs+ line none
aaa authorization exec privilege group tacacs+ none
aaa authorization commands 15 cmd group tacacs+ none
line con 0
exec-timeout 5 0
password 7 x
authorization commands 15 cmd
authorization exec privilege
login authentication telnet
transport input telnet
stopbits 1
line vty 0 4
exec-timeout 5 0
authorization commands 15 cmd
authorization exec privilege
login authentication telnet
transport input telnet
It works great for vty but not for console. I read somewhere about a
hidden
authorization command for console but it is not working. Here is a debug.
xxx#debug aaa authorization
*Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1
*Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
adapter=0
port=0 channel=0
*Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted
*Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
*Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
Failed attempts for console
*Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0
adapter=0
port=2 channel=0
*Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser=''
port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2'
list='privilege' service=EXEC
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test'
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd*
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list
privilege
*Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+
(tacacs+)
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell
*Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd*
*Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status =
PASS_ADD
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd*
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
*Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful
Passed attempts for console
I think my understanding of exec shell is what's hurting me. Any comments
or
advice would be greatly appreciated.
Ryan
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53684t=53661
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
