[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Using Windows IAS server to limit Cisco priviledge level 1 users to specific commands.

Posted on 2010-01-05
14
Medium Priority
?
637 Views
Last Modified: 2012-05-08
How can I assign users that have none priviledge level 15 rights with a list of commands when they authenticate agaisnt the IAS server?  I currently have two groups define in the IAS. One is Level 15 access (Admin), second is Level 1 access (non-admin). The non-admin users can execute any commands and can write to configs. Any ideas how I can assign specific commands to non-admin group using a windows IAS server?

Thank you
G
0
Comment
Question by:chfong98
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 25

Accepted Solution

by:
Ken Boone earned 400 total points
ID: 26185120
I use ACS to do this or I do it locally.  So I am not sure if IAS has the ability to control command assignments but you can do it on the router like this:

privilege exec level 1 traceroute
privilege exec level 1 ping
privilege exec level 1 show startup-config
privilege exec level 1 show running-config
privilege exec level 1 show

So assuming that IAS grants a level 1 user access to router these commands would allow a level 1 user to utilize them.
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26185145
Do a "sh users" once in the router, authenticated with a non-admin user.  Paste it.
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26185215
Here, just use this.. no sense in me re-typing what's already down.

http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

Let me know if that does the trick, I have a feeling it's making sure you have the "shell:priv-lvl=1" in, and that it listed as a Cisco device.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 25

Expert Comment

by:Ken Boone
ID: 26185313
JD - the link you gave him is providing the basics for IAS authentication.  I think from what I am reading he has the IAS authentication working but he is trying to do command authorization at this point.
0
 

Author Comment

by:chfong98
ID: 26185430
JDLoaner

Both the Admin and non-admin users can login just fine. I just need to assign additional commands, like clears counters, show run, etc, to the non-admin user. Here is the non-admin test user ciscoro.

gwy01>sh users
    Line       User       Host(s)              Idle       Location
*  1 vty 0     ciscoro    idle                 00:00:00 workstation.aaa.com

  Interface      User        Mode                     Idle     Peer Address

gwy01>sh priv
Current privilege level is 1
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 26185525
Try adding the commands that I gave you above and see if that does anything for you.
0
 
LVL 81

Expert Comment

by:arnold
ID: 26185893
http://wiki.freeradius.org/Cisco

the example is for another radius server but is enough to illustrate the point:
The reply items that IAS needs to send once the authentication is complete using cisco-avpair will tell cisco which commands are available to this user, the group to which the user belong, etc.

The alternative as kenboonejr pointed out in the first place is that you configure the privilegelevel where certain commands are available and then when a user authenticates respond with the reply-items that are of the same level or higher than the commands.

This way your IAS based on the group membership or the user will set the privilege level for the authenticated user using the cisco-avpair reply item.
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26186136
Oh I see, the way I read it the PRIV 1 users were still able to run all the commands a 15-level user could.

So ken is correct on specifying locally.

Use the "router(config)# privilege *command* level 1"
0
 

Author Comment

by:chfong98
ID: 26186425

Kenboonejr

Great! I added these commands the show run only show like 3 lines, the sh start put out the entire cofig
why is that?

privilege exec level 1 show startup-config
privilege exec level 1 show running-config
privilege exec level 1 show

Thanks
G
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 26186455
Man I haven't seen that behavior before.   The command either works or it will give you an error on the command.  But showing 3 lines of the config is something I haven't seen before.  That sounds odd.  So off the top of my head here is what I would do unless someone has a better idea.
#1)  Save the config and reboot the router.. i dunno maybe a quirk or something
#2) Update your IOS to a more recent version  .. again i dunno maybe a bug
#3) If neither of those does it then you will need to start running some debugs on aaa authorization and see if anything jumps out at you.
I have never seen this situation.
0
 

Author Comment

by:chfong98
ID: 26186507
kenboonejr

I don't think I am going to chase down the bug on the switch at this time. It is in production.
I did all that on a cat 2960. Is it the same on ASA5550, 5510?

Thanks
G
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 26187002
Yea its pretty much the same.  The syntax is slightly different.  Here is the doc that covers that on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1042034

Should take you right to command authorization.  If not click on it in the index.  
0
 
LVL 4

Assisted Solution

by:JDLoaner
JDLoaner earned 100 total points
ID: 26187398
The sh run is only showing those because that is what you have added to the currently running config.  The sh start is giving you the entire config that the router was booted with.  Copy run start might give you equal display for both, might take a reload as well however.
0
 

Author Closing Comment

by:chfong98
ID: 31673191
Thank you all for the great help
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question