Understanding TACACS AV Pairs in the ACS Interface
Understanding TACACS+ AV Pairs in the ACS InterfaceThe AV pair combinations in this chapter are intended to assist you in tying the meaning of them together. Not all AV pairs are configured this way. In fact, many AV pair combinations are configured in ACS using the HTML interface. For example, to configure an autocommand, you would place a check box next to the autocommand and place the command that you want to execute in the given field. The attribute is the autocmd, and the value is whatever you place in the field. This makes working with AV pairs much simpler. In fact, many people configure AV pairs and don't even know it. In the sections that follow, you find five examples of AV pairs configured. For each example, see if you can answer the following questions:
AV Pair Discussion #1Examine Figure 13-3. Figure 13-3. AV Pair Discussion #1 In Figure 13-3, there are actually two AV pairs configured. The first AV pair is the inacl#n attribute. In the ACS interface, it is simply seen as "In access control list." The second AV pair in Figure 13-3 is the routing= AV pair. The value is 1, which indicates that routing is enabled. In the ACS interface, you can see that this configuration is accomplished with a simple check box being selected. This configuration would be useless because the PPP service was not selected. AV Pair Discussion #2Examine Figure 13-4. Figure 13-4. AV Pair Discussion #2 Figure 13-4 demonstrates a total of three AV pairs. The first AV is the service=shell AV pair. This is configured by placing a check mark in the box next to Shell (exec). The second AV that is seen here is the priv-lvl=10 AV pair. This sets the privilege level for the users of this group to 10. Finally, the third AV pair is the timeout value for the shell. This sets the timeout value to 60 minutes. This is the timeout=60 AV pair. AV Pair Discussion #3Examine Figure 13-5. Figure 13-5. AV Pair Discussion #3 Figure 13-5 has the PPP AV pair selected. This is the equivalent to the service=ppp AV pair. The route AV pair is also selected. This is the same as configuring the route="10.1.1.254 255.255.255.255 10.1.1.2" AV pair. The route AV uses the PPP service. Without the PPP service, the route cannot be distributed. AV Pair Discussion #4Examine Figure 13-6. Figure 13-6. AV Pair Discussion #4 In Figure 13-6, you can see that there are three AV pairs configured. The first is the access control list that has a value of 101. This is equivalent to the AV pair acl=101. This applies the access list 101 that is configured on the AAA client to the line that this user accesses the shell EXEC from. The second AV pair configured in this example is the autocommand attribute with a value of show run. This executes the show run IOS command when the user authenticates and is authorized access to the command line. Once this command is issued, the connection is terminated. The third AV pair configured is the idle time, and it is set to idle for 60 minutes before disconnect. This is the equivalent to the AV pair idletime=60. This configuration is not valid and will not work because the service=shell AV is not selected in the ACS HTML interface. AV Pair Discussion #5To facilitate this example, an additional configuration was enabled. Figure 13-7 shows the time-of-day access grid configuration being enabled in interface configuration. Figure 13-7. Enabling Time-of-Day Access Grid for TACACS+ Once this option is selected, you can now see the time-of-day access grid. In Figure 13-8, you can see the selection of this grid. Figure 13-8. AV Pair Discussion #5 The answer here is LCP. By overriding the default time-of-day restrictions, you automatically override the LCP service. This configuration, however, will not work because of the fact that the service=ppp is not enabled. |
EAN: 2147483647
Pages: 173