AAA command authorization gotchas

Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):

  • Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
  • Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
  • Other commands (for example, ping) are authorized based on the current privilege level.

For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.

  • Command authorization is not performed on console unless you’ve configured aaa authorization console.

This is the sample configuration I’ve used to run the tests with IOS release 12.4(19):

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
!
username x password y
!
tacacs-server host 192.168.200.201

6 comments:

  1. Do you or any reader have any TACACS+ server applications you could recommend? We are currently running an older version of tac_plus on UNIX which lacks many authorization options. Any suggestions that I could have a closer look on would be highly appreciated!
  2. The most popular implementation of TACACS+ nowdays is:

    http://www.shrubbery.net/tac_plus/
  3. Do any one knows the steps of TACACS CLI Configuration @ Alcatel ISAM 7302 ?
  4. yeah i do. do u still need these commands or did u get it from somewhere. Im asking cuz your post was in November last year.
  5. Do any one have practical command on IPv6 ??
  6. Shafie, if you can enlighten me i would be very happy. (I can't seem to find it on the interwebs.)
Add comment
Sidebar