Restricting Command Access

Problem

You want to restrict permission so that specific users can use only certain commands.

Solution

You can enable TACACS+ command authorization in newer IOS versions with the following set of configuration commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization exec default group tacacs+ 
Router1(config)#aaa authorization commands 15 default group tacacs+ 
Router1(config)#tacacs-server host 172.25.1.1
Router1(config)#tacacs-server key COOKBOOK
Router1(config)#end
Router1#

In any IOS version before 12.0(5)T, the AAA syntax was slightly different:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#aaa new-model
Router2(config)#aaa authorization exec default tacacs+ 
Router2(config)#aaa authorization commands 15 default tacacs+ 
Router2(config)#end
Router2#

Discussion

After you configure AAA authorization, the router will query the TACACS+ server each time somebody enters a command to see if it is allowed. If the user is permitted to use this particular command, the TACACS+ server will respond with an “accept” message, and the router will proceed to execute the command. However, if the user is not permitted to issue the command, the TACACS+ server responds with a “reject” message, and the router will not execute the command. The router also shows a rejection status message on the screen:

Router1#configure terminal 
Command authorization failed.

Router1#

In this case, the current user is unable to modify the router configuration because of an AAA authorization rejection.

Command authorization is useful in many situations. For example, you can use it to allow novice users to access some commands on the router, while preventing them from modifying the configuration. Or, in other cases, you might need to give special access to different groups of users according to their job functions. For example, the night operator might need to have access to look at the routing tables. But you may not want to give this person the same command set as your network engineers. In Recipe 4.8, we illustrate how to configure a TACACS+ server to permit and deny specific commands.

In the recipe examples, we have configured the router to authorize enable-level commands only, by specifying the number 15 as an argument:

Router1(config)#aaa authorization commands 15 default tacacs+

You may recall from Chapter 3 that the enable level commands are assigned level 15, whereas VTY level commands are at level 1. You can authorize all level 1 commands as well, depending on the level of security and control you wish to enforce. You could authorize all level 1 commands as follows:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model 
Router1(config)#aaa authorization commands 1 default tacacs+
Router1(config)#end
Router1#

See Also

Chapter 3; Recipe 4.3; Recipe 4.8

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial