AAA command authorization gotchas
Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):
- Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
- Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
- Other commands (for example, ping) are authorized based on the current privilege level.
For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.
- Command authorization is not performed on console unless you’ve configured aaa authorization console.
This is the sample configuration I’ve used to run the tests with IOS release 12.4(19):
aaa new-model ! ! aaa authentication login default local aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none ! username x password y ! tacacs-server host 192.168.200.201
Posts
2 comments:
Do you or any reader have any TACACS+ server applications you could recommend? We are currently running an older version of tac_plus on UNIX which lacks many authorization options. Any suggestions that I could have a closer look on would be highly appreciated!
The most popular implementation of TACACS+ nowdays is:
http://www.shrubbery.net/tac_plus/
Post a Comment
If you're using Internet Explorer, your first attempt to publish a comment will probably fail (a feature of Blogger). Don't worry, just press the Post Comment button again.