Cisco ACS 5.x Use Case: Authorization and Accounting Commands

I would say that this blog rounds up a story about network device administration. This time we will authorize users to do certain commands and account for what they do. The ACS config is (almost) blank and router config is also (almost) blank.

This is the scenario: we will have two group of users. Senior Admins, which can do any command, and Junior Admins, that can only do show command, except for the show running-config and show startup-config. We will also allow them to add a new network to the OSPF routing process. We will make note of every command that is executed.

On the ACS we add the router as a AAA client device. We create two groups with names given above, and create two users: sasa.popravak, as a member of Senior Admins, and slavisa.popravak, as a member of Junior Admins. We already know how to do all this stuff from previous ACS5.x blogs. Also the network diagram stays the same.

Now we will create two Command Sets. One that will allow the execution of all commands, and one that will allow only commands for junior administrators.

Under Policy Elements->Authorization and Permissions->Device Administration->Command Sets we click Create. Then, for Senior Admins, we only select the Permit any commands that is not in the table below:

ucase3-1

For junior administrators, we create a command set as follows:

ucase3-2

Please note that we can abbreviate commands or arguments with the * sign, or list them with full form like this:

ucase3-3

Also please note the presence of exit, end, enable and disable commands. They should be listed even if not required by the scenario, because otherwise the user would be locked in the global configuration or router configuration mode. In fact, they could not enter the privilege mode at all!

Next, under Access Policies->Access Services->Default Device Admin->Identity we make sure that the Internal Users is selected. Under Access Policies->Access Services->Default Device Admin->Authorization we need to create two rules. One for senior and one for junior admins, and assign the appropriate Command Sets. Before creating rule, we need to customize the options we want to play with. One reason for this is that the Default Device Admin access service only returns a shell profile that permits access and not a command sets. So we click Customize and select our options:

ucase3-4

Now we click Create and create our two rules. First, for seniors:

ucase3-5

And for juniors:

ucase3-6

Finally, we make sure that the default rule denies access:

ucase3-7

We are now ready to set up the router:

!
hostname R1
!
enable secret 5 $1$VvqP$0Q.5Featb31qC5zP0PZe8/
!
aaa new-model
!
aaa authentication login default group tacacs+
aaa authentication login CONSOLE_NONE none
!
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
!
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
interface FastEthernet0/0
ip address 11.11.11.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.168.10 255.255.255.0
duplex auto
speed auto
!
!
tacacs-server host 192.168.168.12 key spop123
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication CONSOLE_NONE
!
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
!
line vty 0 4

!

And now let’s verify. First, the seniors:

sasa@pop-deb:~$
sasa@pop-deb:~$ telnet 11.11.11.10
Trying 11.11.11.10…
Connected to 11.11.11.10.
Escape character is ‘^]’.

username: sasa.popravak
password:

R1>en
Password:
R1#
R1#show run
Building configuration…

Current configuration : 1627 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$VvqP$0Q.5Featb31qC5zP0PZe8/
!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login CONSOLE_NONE none
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3

R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#int lo1
R1(config-if)#ip addr 1.1.1.1 255.255.255.255
R1(config-if)#exit
R1(config)#
R1(config)#exit
R1#exit
Connection closed by foreign host.
sasa@pop-deb:~$

And then juniors:

sasa@pop-deb:~$
sasa@pop-deb:~$ telnet 11.11.11.10
Trying 11.11.11.10…
Connected to 11.11.11.10.
Escape character is ‘^]’.

username: slavisa.popravak
password:

R1>
R1>en
Password:
R1#
R1#show run
Command authorization failed.

R1#
R1#show start
Command authorization failed.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int lo2
Command authorization failed.

R1(config)#router rip
Command authorization failed.

R1(config)#
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
Command authorization failed.

R1(config-router)#
R1(config-router)#network 1.1.1.1 255.255.255.255 area 0
R1(config-router)#exit
R1(config)#
R1(config)#exit
R1#
R1#
R1#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, FastEthernet0/0
C    192.168.168.0/24 is directly connected, FastEthernet0/1
R1#
R1#
R1#exit
Connection closed by foreign host.
sasa@pop-deb:~$

In red we can see commands for which the authorization failed. In green are commands that were successful.

Finally, on the ACS server, we can verify that the authorization and accounting are performing:

ucase3-8

ucase3-9

I hope this was useful.

Thanks for reading.

Advertisements
This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, Cisco, IOS, Security and tagged , , , , . Bookmark the permalink.

One Response to Cisco ACS 5.x Use Case: Authorization and Accounting Commands

  1. T. says:

    Thanks for this howto, but I have one question…
    What if I want to DENY all commands containing the argument “capabilites”?
    For example, I want to deny the command “show interfaces capabilities” but also deny the command “show interfaces [any interface] capabilities”
    Is there a way to just block the “capabilities” argument?

    Thanks in advance.
    T.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s