X-post from CCNA
I"m working in my lab and I finally got to the point where I can successfully login to a router using TACACS but there's something in my authorization config (either on the router or the server, I'm leaning toward server config) that is preventing me from being able to elevate out of user exec mode. No matter what I try it just always says access denied.
My suspicion is that I"m missing something in the authorization.xml file. I've read through the documentation on the tacacs.net site and also on the cisco site and I can't find an answer.
I'm using the free version from tacacs.net running on a Windows 10 laptop with the IP address 10.10.2.10. The router that I've configured for TACACS has an IP of 10.10.3.1.
Here is (I believe) my relevant config:
Router:
aaa new-model aaa authentication login default local aaa authentication login AUTHEN_via_TACACS group tacacs+ local aaa authorization console aaa authorization exec Author-Exec_via_TACACS group tacacs+ local ! tacacs-server host 10.10.2.10 key tacacs ! line vty 0 4 exec-timeout 0 0 authorization exec Author-Exec_via_TACACS login authentication AUTHEN_via_TACACS
Server - authentication.xml
<UserGroup> <Name>Network Engineering</Name> <AuthenticationType>File</AuthenticationType> <Users> <User> <Name>test</Name> <LoginPassword ClearText="password" DES=""> </LoginPassword> <EnablePassword ClearText="password" DES=""></EnablePassword> <CHAPPassword ClearText="" DES=""> </CHAPPassword> <OutboundPassword ClearText="" DES=""> </OutboundPassword> </User> </Users> </UserGroup>
Server - authorization.xml
<Authorizations> <Authorization> <!--This entry will only be processed in the times given below--> <!--<Time>MTWRFSN,04:00-21:00</Time>--> <!--This authorization section applies to the following user groups. In case of conflicting authorization entries for the same group, the entry which appears first in the file is used.--> <UserGroups> <UserGroup>Network Engineering</UserGroup> </UserGroups> <ClientGroups> <ClientGroup>Routers</ClientGroup> </ClientGroups> <AutoExec> <!--<Set>acl=7</Set>--> <!--<Set>autocmd=telnet 10.1.1.1</Set>--> <Set>priv-lvl=15</Set> </AutoExec> <Shell> <!--<Permit>configure</Permit>--> <!--<Deny>show running-config</Deny>--> <Permit>enable</Permit> <!--<Deny>show bgp all</Deny>--> <!--<Permit>show bgp .*</Permit>--> <Permit>.*show.*</Permit> <Permit>.*</Permit> </Shell> <Services> <!-- <Service> <Set>service=ppp</Set> <Set>protocol=ip </Set> --> <!--<Set>addr=10.1.1.1</Set>--> <!--mandatory argument--> <!--Their mandatory input access list number is 5--> <!--<Set>inacl=5</Set>--> <!--<SetOptional>outacl=10</SetOptional>--> <!--These are examples of vendor specific attributes(VSAs)--> <!--<Set>foundry-privlvl=5</Set>--> <!-- </Service> --> </Services> </Authorization>
Server - clients.xml
<ClientGroup Name="Routers"> <Secret ClearText="tacacs" DES=""> </Secret> <Clients> <Client>10.10.*</Client> <Client>192.168.*</Client> </Clients> </ClientGroup>
No comments:
Post a Comment