Command authorization sets create a central depository for command authorization. The capability of command authorization is available in most Cisco routers and PIX Firewalls at the local level. This section discusses how to move command authorization to the ACS. Working with Command Authorization SetsThe ACS provides command authorization sets to be configured in the Group Setup section, as well as via the Shared Profile Components section. While the functionality of command authorization is the same in both areas, the benefit to configuring command authorization sets within Shared Profile Components is that you can configure the entire command set at once without continuously having to submit each command before configuring the next. Another benefit to configuring command authorization sets within Shared Profile Components is that you can configure multiple levels of command sets and apply them either at the group or the user-profile level. PIX Command Authorization Sets Versus Shell Command Authorization SetsAlthough the ACS gives you the option for configuring PIX command authorization sets or shell command authorization sets, the PIX Firewall never implemented the pixshell, which is what the PIX command authorization sets are based on. Therefore, the workaround to configure command authorization sets on a PIX Firewall is to use the shell command authorization sets. Configuration Considerations for Command Authorization SetsWhen beginning to configure command authorization, take the following into consideration:
In addition to asking these questions, you might also consider writing out what commands you want to be available at each level as well as who is assigned each level. This is beneficial because it gives you a more visual approach to creating your command authorization sets. Router Preparation for Command AuthorizationTo prepare a router to perform command authorization with ACS, you need to enter the following commands: Router(config)# aaa new-model Router(config)# tacacs-server host ip-address key key | radius-server host ip-address key key Router(config)#radius-server host 10.1.1.100 key secretkey or Router(config)# tacacs-server host 10.1.1.100 key secretkey Router(config)# aaa group server {radius | tacacs+} group-name Router(config-sg-tacacs+)# server 10.1.1.100 Router(config)# aaa authentication login default group [group-name | {radius | tacacs] } Router(config)# aaa authorization commands level {default | list-name} group group-name Router(config)# aaa authorization exec default group {tacacs+|radius} PIX Firewall Preparation for Command AuthorizationTo prepare the PIX Firewall for command authorization, enter the following commands at the config prompt on the PIX: pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host ip address secretkey timeout 10 pixfirewall(config)# aaa authentication telnet console MYTACACS pixfirewall(config)# aaa authentication enable console MYTACACS pixfirewall(config)# aaa authorization command MYTACACS NOTE To perform command-line authorization on a PIX Firewall, you must run Finesse OS version 6.2 or greater. Configuring Shared Profile Components for Command AuthorizationTo configure command authorization sets for either the PIX or a Cisco IOS router, perform the following steps:
The option to select a permit action versus a deny action here is determined based on the amount of commands you want to allow a user to have access to. For example, if you want a user with this command level to have access to all except for the erase and reload commands, it makes sense to make a deny authorization list for just the two commands. This would mean the Permit Unmatched Commands option would be selected. Follow these steps to create this authorization set:
At this point, your command authorization set reads like this: Any command that does NOT match "write erase" will be permitted. This accomplishes the task of denying a write erase from being performed. To include the reload command as a denied command, simply follow Steps 7 through 11 in the preceding step sequence, replacing the command write with the command reload. Do not perform Steps 10 and 11. This causes the configuration to include the reload command and any argument. On the other hand, if you are going to create a level that is very restrictive, you would want to then select the option to Deny Unmatched Commands. In your list, you would then enter the commands that you want to allow. You can create this list by following these steps:
Deleting Command Authorization SetsUse the following steps to delete a command authorization set:
Editing Shell Command Authorization SetsTo edit a shell command authorization set, perform the following:
Configuring the Group ProfileNow that the command set is completed, you need to apply it to either a user or a group. To apply a configured command authorization set to a group profile, complete the following steps:
A sample of this can be seen in Figure 10-7. In the figure, the command authorization set PERMIT-SHOW is applied. Figure 10-7. Applying Command Authorization to the GroupThis command authorization set applies to all users that belong to this group. You can assign only one command authorization set this way. Suppose that you want to have separate command authorization sets for each type of equipment, one set for firewalls and one set for routers. To accomplish this, you would create two network device groups. To create network device groups, refer to Chapter 9, "Managing Network Configurations." In one network device group, you would place your firewalls, and in the other, you would place the routers. Once in Group Setup, you would apply your command authorization set to a network device group. Figure 10-8 gives you an example of the process. Figure 10-8. Applying Multiple Command Authorization Sets to a Group ProfileTo complete this configuration, follow these steps:
NOTE To remove an association, simply select the association and then select the remove association button. Don't forget to submit and restart in ACS. Also, keep in mind that if you still have the router or firewall configured for command authorization, all subsequent connections to the shells of those devices might be refused. You should remove the AAA authorization for commands prior to removing a command authorization set from the group. Configuring the User ProfileSituations might prevent themselves when you want a specific command authorization set to be applied to a user. In the user profile, you have the ability to get command authorization from the group, to assign a single command authorization set, to apply a command authorization set associated with a network device group, or to select none. To configure a single command authorization set in the user profiles, perform the following steps:
Assigning command authorization sets associated with a network device group is the same process as when it is done in a group profile. The major difference here is that you have no need to restart the ACS services. This allows for better on-the-fly changes that do not affect other user authentications. Testing Command AuthorizationTesting command authorizations is a very important step in the implementation. In my experiences, I have found that often times certain commands that are common are often overlooked. Try to test when you have local access to the devices, or whenever possible, try to test in a controlled environment prior to deployment. A Cisco PIX 501 and Cisco 800 series router are economical devices that can be used to test a number of the AAA features available in the Cisco IOS and PIX OS. |