Hi there,
I am attempting to create a service within ClearPass that permits or denies certain commands for Cisco IOS users using TACACs.
The command Authorization works great, some commands are permitted, some are denied.
But my issues is that I can't get users to be dropped directly in to priv 15 / enabled mode like I am able to with Cisco ISE.
Switch Config:
aaa group server tacacs+ CLEARPASS-TACACS
server name CLEARPASS1
server name CLEARPASS2
ip vrf forwarding NMS
ip tacacs source-interface Vlan10
!
aaa authentication login default group CLEARPASS-TACACS local
aaa authentication enable default group CLEARPASS-TACACS enable
aaa authorization config-commands
aaa authorization exec deafult group CLEARPASS-TACACS local if-authenticated
aaa authorization commands 1 default group CLEARPASS-TACACS local if-authenticated
aaa authorization commands 15 default group CLEARPASS-TACACS local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group CLEARPASS-TACACS
aaa accounting commands 15 default start-stop group CLEARPASS-TACACS
aaa accounting connection default start-stop group CLEARPASS-TACACS
aaa accounting system default start-stop group CLEARPASS-TACACS
!
tacacs server CLEARPASS1
address ipv4 10.0.10.22
key 7 xxxxxx
tacacs server CLEARPASS2
address ipv4 10.0.10.21
key 7 xxxxxx
!
!
!
!
line con 0
line vty 5 15
Below is the Enforcement Profile that my user is hitting:
I ran a 'debug AAA Authorization' on the Cisco switch.
Lines 1 and 2 are displayed when I log in (still in user exec priv1).
Lines 3 - 7 are displayed when I type 'enable' and successfully enter my password
1 Mar 30 04:17:26.400: AAA/BIND(0000002D): Bind i/f
2 Mar 30 04:17:26.467: AAA/AUTHOR (0000002D): Method list id=0 not configured. Skip author
3 Mar 30 04:17:28.656: AAA/AUTHOR: auth_need : user= 'jdoe' ruser= 'switch2'rem_addr= '10.0.0.52' priv= 0 list= '' AUTHOR-TYPE= 'commands'
4 Mar 30 04:17:28.656: AAA: parse name=tty3 idb type=-1 tty=-1
5 Mar 30 04:17:28.656: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
6 Mar 30 04:17:28.665: AAA/MEMORY: create_user (0x40B03A4) user='jdoe' ruser='NULL' ds0=0 port='tty3' rem_addr='10.0.0.52' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
7 Mar 30 04:17:31.248: AAA/MEMORY: free_user (0x40B03A4) user='jdoe' ruser='NULL' port='tty3' rem_addr='10.0.0.52' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Anybody able to tell me what I am missing?
I only want users of THIS Enforcement profile to be granted Priv 15 immediately. I have other users which I am happy for them to stay locked down in Priv 1, as that is all they are granted.
------------------------------
Regards,
BrettVerney
------------------------------