Restricting Command Access
Problem
You want to restrict permission so that specific users can use only certain commands.
Solution
You can enable TACACS+ command authorization in newer IOS versions with the following set of configuration commands:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization exec default group tacacs+
Router1(config)#aaa authorization commands 15 default group tacacs+
Router1(config)#tacacs-server host 172.25.1.1
Router1(config)#tacacs-server key COOKBOOK
Router1(config)#end
Router1#
In any IOS version before 12.0(5)T, the AAA syntax was slightly different:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#aaa new-model
Router2(config)#aaa authorization exec default tacacs+
Router2(config)#aaa authorization commands 15 default tacacs+
Router2(config)#end
Router2#
Discussion
After you configure AAA authorization, the router will query the TACACS+ server each time somebody enters a command to see if it is allowed. If the user is permitted to use this particular command, the TACACS+ server will respond with an "accept" message, and the router will proceed to execute the command. However, if the user is not permitted to issue the command, the TACACS+ server responds with a "reject" message, and the router will not execute the command. The router also shows a rejection status message on the screen:
Router1#configure terminal
Command authorization failed.
Router1#
In this case, the current user is unable to modify the router configuration because of an AAA authorization rejection.
Command authorization is useful in many situations. For example, you can use it to allow novice users to access some commands on the router, while preventing them from modifying the configuration. Or, in other cases, you might need to give special access to different groups of users according to their job functions. For example, the night operator might need to have access to look at the routing tables. But you may not want to give this person the same command set as your network engineers. In Recipe 4.8, we illustrate how to configure a TACACS+ server to permit and deny specific commands.
In the recipe examples, we have configured the router to authorize enable-level commands only, by specifying the number 15 as an argument:
Router1(config)#aaa authorization commands 15 default tacacs+
You may recall from Chapter 3 that the enable level commands are assigned level 15, whereas VTY level commands are at level 1. You can authorize all level 1 commands as well, depending on the level of security and control you wish to enforce. You could authorize all level 1 commands as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization commands 1 default tacacs+
Router1(config)#end
Router1#