Hi List,
Has anyone got AAA command authorization working correctly on modern
Netiron code, on the MLX/CER's?
With a working TACACS+ server, with the below aaa configuration, I don't
receive Command Authorization commands (confirmed with logs / pcap) for
commands prefaced with 'no', but do for other configuration level commands.
This presents a problem when I can block commands like 'router mpls', but
other commands such as 'no router mpls' still work.
Testing is done with a logged in user with priv level 0 (super user).
Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
the same results.
Has anyone else ran into this issue? Or has working command authorization
with a different (eg; radius) setup?
AAA config:
tacacs-server host 192.0.2.200
tacacs-server key tacacskeyhere
aaa authentication enable default tacacs+
aaa authentication login default tacacs+
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
--
Email: pat@ge3k.net
Has anyone got AAA command authorization working correctly on modern
Netiron code, on the MLX/CER's?
With a working TACACS+ server, with the below aaa configuration, I don't
receive Command Authorization commands (confirmed with logs / pcap) for
commands prefaced with 'no', but do for other configuration level commands.
This presents a problem when I can block commands like 'router mpls', but
other commands such as 'no router mpls' still work.
Testing is done with a logged in user with priv level 0 (super user).
Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
the same results.
Has anyone else ran into this issue? Or has working command authorization
with a different (eg; radius) setup?
AAA config:
tacacs-server host 192.0.2.200
tacacs-server key tacacskeyhere
aaa authentication enable default tacacs+
aaa authentication login default tacacs+
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
--
Email: pat@ge3k.net