TACACS Server Configuration

[bizzaro]

Does anybody know how to configure tacacs to restrict some exec commands. In the example below, I want to prevent such commands as ip routing from being entered. With this configuration, I am still able to enter the command ip routing.




group = test {
default service = permit

cmd = configure {
permit .*
}
cmd = ip {
permit default-gateway
deny .*
}

# Default access to enable mode
service = exec {
priv-lvl = 15
}
}

 

[burtsbees]

The priv level has to be lower than 15, anything between 1 and 14.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[bizzaro]

If I set it for anything other then 15, the user is unable to enter config mode.

 

[North323]

is this on unix or linux? is there a gui? are you using cisco ACS?

 

[bizzaro]

It is running on Linux (Debian). No there is no gui and I am not using Cisco ACS. I am using a tacacs config file which I have been doing for years. It is only now that I want some people to be able to enter config mode but restrict some of the commands.

 

[North323]

should look something like this:

user = users {
default service = deny
login = cleartext test
cmd = show
{
permit ip
permit interface
deny .*
}
}

 

[bizzaro]

Your example is for using the show command. My problem is after you enter config mode. Here is one example.

1. User enters config t.
2. User should be allowed to enter ip default-gateway but should not be allowed to enter ip routing or anything else after ip.

 

[North323]

its the same thing...instead of cmd=show its cmd=ip so it would be

user = users {
default service = deny
login = cleartext test
cmd = ip
{
permit default-gateway
deny .*
}
}

 

[bizzaro]

It looks like your last example is exactly what I listed in my first thread. The only difference is that I applied it to a group instead of a user. There is just not enough documentation and no support for TACACS. I will try it at the user level and report back.

 

[bizzaro]

Still does not work at the user level. I am still able to enter the command ip routing.

 

[burtsbees]

What about entering the commands in the router at the command line? ARe there certain users or are they groups defined in AAA?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

let me see what your AAA config looks like in the router/switch

 

[bizzaro]

aaa new-model
!
!
aaa authentication login default group tacacs+ local-case enable
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common

 

[North323]

group = test {
default service = permit

your default service should be deny NOT permit

 

[bizzaro]

I have tried both permit and deny with different configurations.

 

[North323]

im stumped...after you make the changes, you do stop and start the tacacs service correct?

 

[bizzaro]

Yes, I stop and start tacacs each time I make a change.

 

[North323]

can you post your entire tacacs config (scrubbed)

 

[burtsbees]

Or the entire config? There is a way to do this at the command line...just specify exactly what user/group you want this to happen to.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[bizzaro]

#

#

# tacacs-server key 7 0756741E435D180E1D035F5555217E75
key = "952m4akjq491k51"

prompt = "Authorized Access Only\nTACACS+ Authentication & Authorization for Cisco Switch Configuration\n"

accounting file = /var/log/tac_acc.log

user = $enable$ {
member = admin
login = des xxxx
}

user = user1 {
service = rbt-exec {
local-user-name = "admin" }
member = admin
login = des ddmR3rcCk8p1g
pap = des ddmR3rcCk8p1g
}

user = user2 {
service = rbt-exec {
local-user-name = "admin" }
member = admin
login = des F1V73FwAlCfKc
pap = des F1V73FwAlCfKc
}

user = user3 {
service = rbt-exec {
local-user-name = "admin" }
member = admin
login = des ULYXA4lWkzDRs
pap = des ULYXA4lWkzDRs
}

user = user4 {
service = rbt-exec {
local-user-name = "admin" }
member = admin-nochanges
login = des qhbRlgJq8ijBw
pap = des qhbRlgJq8ijBw
}

user = user5 {
service = rbt-exec {
local-user-name = "monitor" }
member = admin-nochanges
login = des MsMsU59VCLOs2
pap = des MsMsU59VCLOs2
}

user = user6 {
service = rbt-exec {
local-user-name = "monitor" }
member = admin-nochanges
login = des 84IZy/q33SaDo
pap = des 84IZy/q33SaDo
}

user = test {
member = admin-nol3
login = cleartext adm1ntest
}

group = admin {
# Permit all undefined services
default service = permit

# Top-Level root password:
login = des NC9gT/7SdJ8Vw

cmd = debug {
# deny the command "debug all", permit everything else
deny all
permit .*
}

# Default access to enable mode
service = exec {
priv-lvl = 15
}
}

group = staff {
# Default password NOS level password
login = des NC9gT/7SdJ8Vw

cmd = telnet {
# permit specified telnets to 168.98.x.x
permit 168\.98\.[0-9]+\.[0-9]+
deny .*
}
cmd = enable {
deny .*
}
service = exec {
priv-lvl = 1
}
}

group = nos {
# Default password NOS level password
login = cleartext c1sc0nos

cmd = telnet {
# permit specified telnets to 168.98.x.x
permit 168\.98\.[0-9]+\.[0-9]+
deny .*
}
cmd = enable {
deny .*
}
cmd = show {
# permit specified sho commands
permit .*
}
cmd = connect {
# permit specified sho commands
permit .*
}
cmd = traceroute {
# permit specified sho commands
permit .*
}
cmd = ping {
# permit specified sho commands
permit .*
}
service = exec {
priv-lvl = 1
}
}

group = admin-nochanges {
default service = permit
login = cleartext 1pr0uter

cmd = configure {
deny .*
}
cmd = copy {
deny .*
}
cmd = erase {
deny .*
}
cmd = format {
deny .*
}
cmd = debug {
# deny the command "debug all", permit everything else
deny all
permit .*
}
cmd = write {
# permits write term and write network
deny erase
deny core
deny memory
deny mib-data
permit .*
}

# Default access to enable mode
service = exec {
priv-lvl = 15
}
}

group = admin-nol3 {
default service = deny
login = cleartext 1pr0uter

cmd = configure {
permit .*
}
cmd = interface {
deny .*
}
cmd = spanning-tree {
deny .*
}
cmd = snmp-server {
deny host
permit .*
}
cmd = ip {
permit address
deny .*
}
cmd = switchport {
permit .*
}
cmd = channel-group {
permit .*
}
cmd = copy {
permit running-config
deny .*
}
cmd = debug {
# deny the command "debug all", permit everything else
deny all
permit .*
}
cmd = write {
# permits write term and write network
permit memory
permit network
deny .*
}
cmd = show {
permit .*
}
cmd = reload {
permit .*
}
cmd = no {
permit .*
}

cmd = delete {
deny .*
}

# Default access to enable mode
service = exec {
priv-lvl = 15
}
}