Command Authorization Sets | Cisco Access Control Security: AAA Administration Services

Command authorization sets create a central depository for command authorization. The capability of command authorization is available in most Cisco routers and PIX Firewalls at the local level. This section discusses how to move command authorization to the ACS.

Working with Command Authorization Sets

The ACS provides command authorization sets to be configured in the Group Setup section, as well as via the Shared Profile Components section. While the functionality of command authorization is the same in both areas, the benefit to configuring command authorization sets within Shared Profile Components is that you can configure the entire command set at once without continuously having to submit each command before configuring the next. Another benefit to configuring command authorization sets within Shared Profile Components is that you can configure multiple levels of command sets and apply them either at the group or the user-profile level.

PIX Command Authorization Sets Versus Shell Command Authorization Sets

Although the ACS gives you the option for configuring PIX command authorization sets or shell command authorization sets, the PIX Firewall never implemented the pixshell, which is what the PIX command authorization sets are based on. Therefore, the workaround to configure command authorization sets on a PIX Firewall is to use the shell command authorization sets.

Configuration Considerations for Command Authorization Sets

When beginning to configure command authorization, take the following into consideration:

How many users will be accessing the shell of your network devices?
How many levels of privilege will you need?
Will you apply the privilege to the user profile or the group?
If you will apply the privilege to the user, is there a default group privilege?

In addition to asking these questions, you might also consider writing out what commands you want to be available at each level as well as who is assigned each level. This is beneficial because it gives you a more visual approach to creating your command authorization sets.

Router Preparation for Command Authorization

To prepare a router to perform command authorization with ACS, you need to enter the following commands:

 Router(config)# aaa new-model Router(config)# tacacs-server host ip-address key key | radius-server host   ip-address key key Router(config)#radius-server host 10.1.1.100 key secretkey

 Router(config)# tacacs-server host 10.1.1.100 key secretkey Router(config)# aaa group server {radius | tacacs+} group-name Router(config-sg-tacacs+)# server 10.1.1.100 Router(config)# aaa authentication login default group [group-name |   {radius | tacacs] } Router(config)# aaa authorization commands level {default | list-name} group   group-name Router(config)# aaa authorization exec default group {tacacs+|radius}

PIX Firewall Preparation for Command Authorization

To prepare the PIX Firewall for command authorization, enter the following commands at the config prompt on the PIX:

 pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host  ip address  secretkey   timeout 10 pixfirewall(config)# aaa authentication telnet console MYTACACS pixfirewall(config)# aaa authentication enable console MYTACACS pixfirewall(config)# aaa authorization command MYTACACS

NOTE

To perform command-line authorization on a PIX Firewall, you must run Finesse OS version 6.2 or greater.

Configuring Shared Profile Components for Command Authorization

To configure command authorization sets for either the PIX or a Cisco IOS router, perform the following steps:

Step 1.	Select Shared Profile Components from the left menu screen.
Step 2.	Select Shell Command Authorization Sets.
Step 3.	Select the Add button.
Step 4.	Enter a name.
Step 5.	Enter a description.
Step 6.	Select a permit or deny option for this command set.

The option to select a permit action versus a deny action here is determined based on the amount of commands you want to allow a user to have access to. For example, if you want a user with this command level to have access to all except for the erase and reload commands, it makes sense to make a deny authorization list for just the two commands. This would mean the Permit Unmatched Commands option would be selected. Follow these steps to create this authorization set:

Step 1.	Select Shared Profile Components.
Step 2.	Select Shell Command Authorization Sets.
Step 3.	Select the Add button.
Step 4.	Enter a name for your shell command authorization set.
Step 5.	Enter a description for your shell command authorization set.
Step 6.	You have two options in the form of radio buttons for unmatched commands. Select the Permit radio button.
Step 7.	The large box on the left is populated as you enter commands in the small text box below it. In the small text box, enter the word write.
Step 8.	Select the Add Command button. After performing Step 8, you can see the write command placed in the large box on the left side of the configuration page.
Step 9.	Select the command with your mouse. This highlights the command in blue.
Step 10.	Place a check mark in the box next to the words Permit Unmatched Arguments. This causes any argument that is not listed in the box below the check mark to be permitted. If the box is empty, all arguments are permitted.
Step 11.	To lock in the command write erase as a command that is to be matched, you need to place a permit statement with the command argument in the box below the check mark. Place the statement permit erase in the box.

At this point, your command authorization set reads like this: Any command that does NOT match "write erase" will be permitted. This accomplishes the task of denying a write erase from being performed. To include the reload command as a denied command, simply follow Steps 7 through 11 in the preceding step sequence, replacing the command write with the command reload. Do not perform Steps 10 and 11. This causes the configuration to include the reload command and any argument.

On the other hand, if you are going to create a level that is very restrictive, you would want to then select the option to Deny Unmatched Commands. In your list, you would then enter the commands that you want to allow. You can create this list by following these steps:

Step 1.

Enter either the commands you want to have permitted or denied. A sample of a command you want to permit is seen in Figure 10-5. You do not enter the entire command here, only the beginning or type of command. For example, if the command you wish to permit is show running-config, the command you enter is show.

Figure 10-5. Entering a permit Command

Step 2.

In the field directly under the option Permit Unmatched Args, enter the rest of the command that you want to allow. This is in a permit format. For example, using the command seen in Step 1, in this field you enter permit running-config. Figure 10-6 shows an example of this.

Figure 10-6. Permitting Sub-Arguments

Step 3.

When your list is complete select the Submit button.

Deleting Command Authorization Sets

Use the following steps to delete a command authorization set:

Step 1.	Select Shared Profile Components from the left menu screen.
Step 2.	Select Shell Command Authorization Sets.
Step 3.	Select the shell command authorization set that you want to delete.
Step 4.	Select the Delete button.

Editing Shell Command Authorization Sets

To edit a shell command authorization set, perform the following:

Step 1.	Select Shared Profile Components from the left menu screen.
Step 2.	Select Shell Command Authorization Sets.
Step 3.	Select the shell command authorization set that you want to edit.
Step 4.	Make the necessary modifications.
Step 5.	Select Submit.

Configuring the Group Profile

Now that the command set is completed, you need to apply it to either a user or a group. To apply a configured command authorization set to a group profile, complete the following steps:

Step 1.	Select Group Setup from the left menu in ACS.
Step 2.	Using the drop-down menu, select the group that you want to apply the command authorization set to.
Step 3.	Select Edit Settings.
Step 4.	Using the Jump To drop-down menu, select TACACS+.
Step 5.	Scroll to Shell Command Authorization Set.
Step 6.	Select the Assign a Shell Command Authorization Set for any network device radio button.
Step 7.	Select Command Authorization Set in the drop-down menu.
Step 8.	Select Submit + Restart.

A sample of this can be seen in Figure 10-7. In the figure, the command authorization set PERMIT-SHOW is applied.

Figure 10-7. Applying Command Authorization to the Group

This command authorization set applies to all users that belong to this group. You can assign only one command authorization set this way. Suppose that you want to have separate command authorization sets for each type of equipment, one set for firewalls and one set for routers. To accomplish this, you would create two network device groups. To create network device groups, refer to Chapter 9, "Managing Network Configurations." In one network device group, you would place your firewalls, and in the other, you would place the routers. Once in Group Setup, you would apply your command authorization set to a network device group. Figure 10-8 gives you an example of the process.

Figure 10-8. Applying Multiple Command Authorization Sets to a Group Profile

To complete this configuration, follow these steps:

Step 1.	Select Group Setup from the left menu in ACS.
Step 2.	Using the drop-down menu, select the group that you want to apply the command authorization set to.
Step 3.	Select Edit Settings.
Step 4.	Using the Jump To drop-down menu, select TACACS+.
Step 5.	Scroll to Shell Command Authorization Set.
Step 6.	Select Assign a Shell Command Authorization Set on a per Network Device Group Basis.
Step 7.	In the Device Group drop-down menu, select the device group to which you want to add command authorization.
Step 8.	In the Command Set drop-down menu, select the command set you want to apply to this group.
Step 9.	Select the Add Association button. This places an entry into the Device Group/Command Set table. Repeat Steps 6 through 9 to add the second device group.
Step 10.	Select the Submit + Restart button when you are finished.

NOTE

To remove an association, simply select the association and then select the remove association button. Don't forget to submit and restart in ACS. Also, keep in mind that if you still have the router or firewall configured for command authorization, all subsequent connections to the shells of those devices might be refused. You should remove the AAA authorization for commands prior to removing a command authorization set from the group.

Configuring the User Profile

Situations might prevent themselves when you want a specific command authorization set to be applied to a user. In the user profile, you have the ability to get command authorization from the group, to assign a single command authorization set, to apply a command authorization set associated with a network device group, or to select none. To configure a single command authorization set in the user profiles, perform the following steps:

Step 1.	Select User Setup from the left menu.
Step 2.	Enter the username you want to add command authorization to in the field provided.
Step 3.	Select Add/Edit.
Step 4.	Scroll to Shell Command Authorization Set.
Step 5.	Select the Assign a Shell Command Authorization Set for any network device radio button.
Step 6.	Using the drop-down menu, select the command authorization set you want to apply.
Step 7.	Select Submit.

Assigning command authorization sets associated with a network device group is the same process as when it is done in a group profile. The major difference here is that you have no need to restart the ACS services. This allows for better on-the-fly changes that do not affect other user authentications.

Testing Command Authorization

Testing command authorizations is a very important step in the implementation. In my experiences, I have found that often times certain commands that are common are often overlooked. Try to test when you have local access to the devices, or whenever possible, try to test in a controlled environment prior to deployment. A Cisco PIX 501 and Cisco 800 series router are economical devices that can be used to test a number of the AAA features available in the Cisco IOS and PIX OS.