December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Restricting Command Access
Problem
You want to restrict permission so that specific users can use only certain commands.
Solution
You can enable TACACS+ command authorization in newer IOS versions with the following set of configuration commands:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-modelRouter1(config)#aaa authorization exec default group tacacs+Router1(config)#aaa authorization commands15default group tacacs+Router1(config)#tacacs-server hostRouter1(config)#172.25.1.1tacacs-server keyRouter1(config)#COOKBOOKendRouter1#
In any IOS version before 12.0(5)T, the AAA syntax was slightly different:
Router2#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router2(config)#aaa new-modelRouter2(config)#aaa authorization exec default tacacs+Router2(config)#aaa authorization commands15default tacacs+Router2(config)#endRouter2#
Discussion
After you configure AAA authorization, the router will query the TACACS+ server each time somebody enters a command to see if it is allowed. If the user is permitted to use this particular command, the TACACS+ server will respond with an “accept” message, and the router will proceed to execute the command. However, if the user is not permitted to issue the command, the TACACS+ server responds with a “reject” message, and the router will not execute the command. The router also shows a rejection status message on the screen:
Router1#configure ...