AAA command authorization gotchas

Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):

  • Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
  • Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
  • Other commands (for example, ping) are authorized based on the current privilege level.

For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.

  • Command authorization is not performed on console unless you’ve configured aaa authorization console.

This is the sample configuration I’ve used to run the tests with IOS release 12.4(19):

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
!
username x password y
!
tacacs-server host 192.168.200.201

6 comments:

  1. Do you or any reader have any TACACS+ server applications you could recommend? We are currently running an older version of tac_plus on UNIX which lacks many authorization options. Any suggestions that I could have a closer look on would be highly appreciated!

    ReplyDelete
  2. The most popular implementation of TACACS+ nowdays is:

    http://www.shrubbery.net/tac_plus/

    ReplyDelete
  3. Do any one knows the steps of TACACS CLI Configuration @ Alcatel ISAM 7302 ?

    ReplyDelete
  4. yeah i do. do u still need these commands or did u get it from somewhere. Im asking cuz your post was in November last year.

    ReplyDelete
  5. Do any one have practical command on IPv6 ??

    ReplyDelete
  6. Shafie, if you can enlighten me i would be very happy. (I can't seem to find it on the interwebs.)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.