CCIE Security Advanced Technologies Class - TACACS+ Command Accounting

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section we are going to look at the
0:00:15	per command authorisation via tacacs
0:00:19	where if we look at our current configuration of router 1
0:00:22	we have it configured for doing, exec
0:00:25	log in authentication via tacacs
0:00:28	also the exec authorisation
0:00:31	which again is controlling
0:00:33	can the user start the exec shell
0:00:35	and once they do, what is the privilege number that they are assigned
0:00:38	then we have accounting for the exec process
0:00:41	which tells us when did the user log in when did the user log out
0:00:45	and then the accounting for commands which is telling us exactly what command they issued
0:00:49	once the user was logged in
0:00:52	now the authorisation for commands is similar to the accounting of commands
0:00:57	where as I mentioned before
0:00:58	these numbers
0:01:00	are representative of the privilege level of the command itself
0:01:04	not the privilege level of the user that is trying to issue them
0:01:09	so in general when we see most accounting configuration for accounting of commands
0:01:14	and most authorisation configuration for command authorisation
0:01:18	we are going to see its specified for 0,1 and 15
0:01:22	because by default all command are going to be 0,1 and 15
0:01:26	unless we are manually modifying it with the privilege level command
0:01:31	so the changes that we are going to make then on router 1
0:01:35	are similar to this aaa
0:01:37	accounting command syntax but instead we are going to say aaa authorisation
0:01:41	of commands
0:01:42	I would authorised a level 0 command
0:01:45	this is going to less they will say is tacacs
0:01:51	tacacs commands
0:01:56	authorisation
0:01:58	this will go to group
0:02:01	that is tacacs
0:02:03	and again notice that there is no option for radius here, because radius does not support command authorisation
0:02:08	and I want specify this for commands level 1
0:02:11	and commands that are at level 15
0:02:16	we may now look at our debugs on router 1
0:02:19	we are going to debug aaa
0:02:21	authentication
0:02:23	debug aaa authorisation
0:02:25	and debug aaa accounting
0:02:28	along with our debug tacacs
0:02:31	authentication
0:02:33	debug tacacs authorisation
0:02:35	and debug tacacs accounting
0:02:38	so basically all three variations, both for the debug tacacs and the debug aaa
0:02:43	now I haven't changed anything on
0:02:46	the aaa server
0:02:48	that is related to this user
0:02:50	so if we go back to the acs server and go under the user set up
0:02:53	list all the users
0:02:55	we have the aaa user
0:02:58	the only thing that we have specified is their user name and password
0:03:01	but the password here is cisco
0:03:04	then under the tacacs settings
0:03:06	I have them able to run the shell process
0:03:10	so the exec shell
0:03:12	and I am assigning them privilege level 15
0:03:16	it says for the shell
0:03:18	command authorisation set
0:03:21	this is going to be assigned as the particular group
0:03:24	that they are to find it
0:03:26	where in this case they are in the default group
0:03:29	so next that telnet into router 1
0:03:32	with telnet to 200.0.0.1
0:03:36	our user name is aaa user
0:03:40	password is cisco
0:03:42	we can see that now we are authorised
0:03:44	to the exec process
0:03:46	so the authentication was successful
0:03:48	and the exec authorisation was successful
0:03:51	we look at router 1 we should see both of these debugs
0:03:54	where the first thing
0:03:56	the first thing that happened is that it found the tacacs
0:03:59	authentication list
0:04:02	it then asks the server
0:04:04	is this particular user with that particular password
0:04:07	authenticated
0:04:09	the acs server replies back saying yes, that's the correct authentication parameters
0:04:14	then we into our exec
0:04:16	authorisation
0:04:18	we are trying to ask the aaa server
0:04:20	can this user log in to the show
0:04:24	the
0:04:25	server replies back, yes they can log in and they are going to be a assigned
0:04:28	privilege level 15
0:04:31	so we are saying yes they can log in plus this is their particular privilege level
0:04:36	now we are starting to do accounting, exec accounting
0:04:39	which tells the server the user logged in
0:04:42	then the eventually when they exit, we are going a stop the accounting
0:04:45	which is the stop record
0:04:48	so the start record is saying the user logged in, stop record is then going to say the user logged out
0:04:53	now at this point
0:04:55	when we go to actually issue any commands, lets say, show privilege
0:05:03	says the current privilege level is 15 if we were to say
0:05:07	clear ip route
0:05:10	if I were to say config t
0:05:13	we could see, we can issue any of this command, if we go back to the router 1
0:05:19	the command accounting process is running
0:05:23	but the command authorisation process
0:05:27	has not been involved
0:05:30	so what this means is that there must be
0:05:33	a misconfiguration in either the definition of the list
0:05:36	or the application of the list
0:05:40	so lets look at router 1, first lets undebug all
0:05:44	then lets look at the show run section
0:05:47	aaa
0:05:49	or tacacs or
0:05:51	line
0:05:54	where I have the command authorisation
0:05:57	configured
0:05:58	tacacs command authorisation for levels 0,1 and 15
0:06:03	then under the lines
0:06:05	I have the
0:06:06	log in authentication
0:06:08	the exec authorisation and the command accounting
0:06:12	but I didn't apply the command authorisation
0:06:16	so it's gone fall back to default the method, which is none
0:06:20	so now under the line I need to say authorisation
0:06:23	of commands
0:06:26	level 0 command this is going to go to
0:06:29	tacacs
0:06:30	command authorisation
0:06:33	same with level 1 and with level 15
0:06:37	now again it may see a little bit redundant that is asking me to do this three times
0:06:42	but
0:06:43	the idea is that we have the granularity to do one type of
0:06:47	authorisation 1 level different than another 1
0:06:50	may be we have 2 separate tacacs server
0:06:52	or some sort of real complex design where we want to sent them different directions
0:06:56	we have the flexibility to do that
0:06:59	so now lets look again at the debug aaa authorisation
0:07:03	and the debug tacacs authorisation
0:07:06	I should now see that when the user
0:07:08	issues another command, if they show privilege
0:07:15	show privilege, it says, command authorisation fail
0:07:18	if I tried to clear the routing table
0:07:20	if I tried to go to global config
0:07:22	even if I try to exit
0:07:24	out of the command line if I try to log out
0:07:27	all of these command authorisation have failed
0:07:31	which means that router 1 is properly asking the server
0:07:35	and we will see, if we go back to top with this, where we started the debug
0:07:40	every time we issue a command
0:07:43	the aaa client which is router 1 is going to send to the aaa server
0:07:47	that someone is running the shell server
0:07:50	this is the particular command they are trying to run
0:07:52	here was a show command
0:07:55	followed by the individual arguments which was privilege
0:07:59	then the carriage return or enter
0:08:02	we found the method list which is the tacacs command authorisation
0:08:06	we are forwarding this to server
0:08:08	server says fail
0:08:09	you are not authorised to run this command
0:08:13	if we then scroll down we should see all of the other commands that we tried to issue on router 1
0:08:18	I tried to issue the clear
0:08:21	ip route * command
0:08:24	I try to say
0:08:26	configure terminal
0:08:29	this was denied
0:08:31	I was then, I then tried to say exit
0:08:33	I then tried to say log out
0:08:35	these are all being denied
0:08:38	now a couple of key points we need to notice about this here
0:08:41	one is that
0:08:43	0by default we are failing all of the authorisation
0:08:47	because under the user it said to check the group
0:08:49	for the command authorisation and we don't have anything configured
0:08:52	so it means that everything is denied by default
0:08:55	the other thing is the way that the
0:08:57	aaa client is separating the request
0:09:00	it's saying that I have a command
0:09:02	plus it's arguments
0:09:05	if this is similar to we had to modify before with privilege command
0:09:10	or with the role based access control or the role based cli
0:09:14	with the IOS parser has the major command in the individual argument
0:09:18	or one of the major commands would be like clear
0:09:21	the clear ip route sar command is the major command clear
0:09:25	followed by the argument ip route and *
0:09:30	now what this means is that when we define a command authorisation set on the server
0:09:36	we need to specify what is the major command
0:09:39	then we either permit or deny
0:09:42	the individual arguments
0:09:45	now the one argument we don't have to match here is the carriage return, it is assumed that you always going to press enter
0:09:50	once you are done with the command
0:09:52	but the
0:09:54	flexibility will see of doing the per command authorisation with tacacs
0:09:58	is that we can essentially define anything we want to
0:10:01	individual arguments that a user can or can not issue
0:10:05	and there is no strict hierarchy
0:10:08	to having
0:10:09	one user's command authorisation set interfering with another one
0:10:14	where in the case of the privilege levels or even with the role based cli
0:10:17	the previlege levels its very difficult to do this
0:10:20	because if I am at privilege 5
0:10:22	it automatically means I get all command that are 0 through 5
0:10:26	where if I am at privilege 7 I am going to get everything that is zero through 7
0:10:30	even with the role based cli we have option those that said include in exclusive
0:10:35	which means that I am the only
0:10:37	parser view or I am the only role
0:10:39	it's able to issue this command
0:10:42	but with the command authorisation and tacacs there is no structure to it
0:10:45	however we define the command authorisation set
0:10:48	the users are going to be able to, either
0:10:50	issue those command or not issue those command
0:10:54	now there is a couple quick notes
0:10:56	that I need to talk about here before we look at the configuration
0:11:00	if we look at the, and actually lets go to command reference here
0:11:07	so from the main documentation page
0:11:10	lets go to products and ios
0:11:13	regular ios
0:11:16	12.4 12.4T
0:11:19	then under reference guides the command reference
0:11:25	and this is going to be under the security command reference
0:11:29	I want to see the aaa command so this two sections
0:11:38	so, so far I issue the aaa authorisation
0:11:44	and that is for commands
0:11:47	there is also two either key words that is important here
0:11:50	two other commands are important
0:11:52	aaa authorisation config-commands
0:11:54	and aaa authorisation
0:11:56	console
0:11:58	where aaa authorisation config commands
0:12:01	says that
0:12:03	use the
0:12:05	aaa authorisation config commands
0:12:08	for, thats doesn't really say, lets look at the usage guide lines
0:12:13	says if aaa authorisation
0:12:14	commands level method command is enabled
0:12:17	all commands including configuration commands are authorised
0:12:20	by aaa
0:12:22	because there are configuration commands that are identical to some exec commands, there can be some confusion
0:12:29	this actually doesn't tell you what it does either
0:12:32	the key is that this is off
0:12:34	by default
0:12:36	which means that
0:12:38	the default is no aaa authorisation config-command
0:12:42	which means that if you are authorised to get in the global config
0:12:46	then anything you issue beyond that
0:12:49	is not going to be checked with the tacacs so
0:12:51	not going to be check with aaa
0:12:54	so if you wanted to deauthorise a user
0:12:58	from issuing specific commands that are in global configuration or beyond
0:13:04	like lets say the interface level, I don't want them to issue the ip address command
0:13:08	I would have to first say aaa authorisation config-commands
0:13:12	because otherwise I am only authorising commands that are run at exec mode
0:13:19	the other one here is the aaa authorisation console
0:13:24	says that if the
0:13:26	aaa new model command is being configured
0:13:29	the no aaa authorisation console is by, is default
0:13:34	and authorisation that is configured on the console line will always succeed
0:13:40	this command by itself is not turn authorisation of the
0:13:42	console line on and needs to be used in conjunction with the authorisation commands, under the console line
0:13:47	configurations
0:13:49	so basically
0:13:50	what this means is that for your exec
0:13:54	authorisation
0:13:55	or your command authorisation
0:13:58	by default
0:13:59	it is not applied onto the console
0:14:03	now with the console of router 1
0:14:05	what I have right now if we say show run section line
0:14:13	I don't have any option configured under the console
0:14:16	this means that this is going inherited default list
0:14:19	for authentication authorisation and accounting
0:14:23	if I were then to go the
0:14:27	the console line
0:14:28	and say I want to do authorisation of
0:14:31	exec and authorisation of all command
0:14:34	so lets say line console 0
0:14:37	and I enter all of this command
0:14:39	its spitting back that error message
0:14:41	authorisation without the global command aaa authorisation console is useless
0:14:45	this means that if I exit
0:14:47	and I come back in
0:14:49	when I log in
0:14:51	normally they would have to check the tacacs server for my exec
0:14:55	authorisation and my command authorisation
0:14:59	but since I didn't issue the
0:15:02	aaa
0:15:05	aaa authorisation console
0:15:07	it means that its skipping over this
0:15:10	so it's a relatively new
0:15:12	additional protection mechanism that they added as a default in IOS
0:15:16	because if you
0:15:17	configure authorisation wrong
0:15:20	its easier to lock yourself out of the command line
0:15:23	but then you configured wrong on the console
0:15:25	you have no last resort method from getting back in
0:15:30	so its kind of a safe guard
0:15:32	they leave this one off by default
0:15:35	so the default is no aaa authorisation console
0:15:37	and the other one is that
0:15:39	aaa authorisation config-command
0:15:44	so now on router1 I am going to remove those methods that I have applied on the console
0:15:48	lets say show run section line
0:15:50	con
0:15:52	and we will
0:15:54	lets remove this, so
0:15:56	underline con 0, no authorisation commands, no authorisation exec
0:16:06	for level zero 1 and 50
0:16:09	now again I could just leave this
0:16:11	options there because its not actually making any changes
0:16:14	because I do not have that
0:16:17	additional keyword there which is the
0:16:20	aaa authorisation console
0:16:22	here so now we are back to default
0:16:25	so next lets look at the aaa server
0:16:27	there is two different ways actually three different ways that I can configure this
0:16:31	the shell
0:16:32	command authorisation set
0:16:34	can be configured manually right here
0:16:37	or I specify, what am I going to permit or deny
0:16:41	what are the commands what are the individual arguments
0:16:44	so I could apply this directly onto the user
0:16:47	the other option
0:16:49	would be to apply it to the group
0:16:52	then assign the user to the group
0:16:54	and inherently they are going to get that particular authorisation set
0:16:58	the other option
0:17:00	is that I can create an authorisation set
0:17:04	globally
0:17:05	that's not necessary bound to an individual user or to an individual group
0:17:10	then I could assign that to the user I could assign that to the group
0:17:14	I go also do this on a per network device basis
0:17:18	so there is a lot of granularity that
0:17:20	granularity that you can do with this
0:17:22	as long as you know how to use basics of this
0:17:24	then you should be able to just
0:17:28	figure out our way through the other ones
0:17:30	so its not that much more difficult to
0:17:34	versus doing on the user or doing on the group
0:17:38	so in our case I can do it
0:17:40	as a group authorisation
0:17:43	lets go to group setup
0:17:45	and we will say that we have
0:17:47	group number 1 I am going to add at this
0:17:50	actually I am going to rename it first, lets go lets back one
0:17:54	and I rename group1
0:17:56	I will say this is my
0:17:59	admins
0:18:02	and for the admins
0:18:05	when they log in under tacacs
0:18:08	I am going to say that
0:18:11	they have, you can see there is a lot different option you can set here
0:18:22	I want them to be able to get into the shell
0:18:25	there are going to be at privilege level 50
0:18:28	for the command authorisation set
0:18:32	I am going to say per group
0:18:35	I am going to permit
0:18:37	on the matched command
0:18:39	submit and restart
0:18:42	okay now notice this, this is restarting the service
0:18:45	what this option here means
0:18:47	is that
0:18:48	when
0:18:50	the aaa client asks me about someone in this group
0:18:54	I don't have specific match for that individual command
0:18:57	so I am doing in implicit permit
0:19:01	as opposed to an implicit deny
0:19:04	where an implicit deny is the default
0:19:07	so if I were then to create a user
0:19:09	lets say user admin
0:19:12	admin1
0:19:14	admin1 has the password cisco
0:19:17	and admin1 is in the group
0:19:20	admins
0:19:23	it should now be inherent that when I telnet into router1
0:19:28	log in as admin1
0:19:30	password-cisco
0:19:32	I am getting authorised to privilege level 15
0:19:36	and now whatever commands that I issue
0:19:39	are going to be authorised
0:19:41	with the tacacs server and there are going to be accounted
0:19:44	so if I show ip interface brief
0:19:47	if I clear count
0:19:49	if I go to global config
0:19:52	then from global config if we say, do show, actually lets do this, lets say no interface lookback 1234
0:20:00	and then end
0:20:02	now lets look at the debug of router1
0:20:07	the first thing that happens is that the authentication and the exact authorisation happened
0:20:13	exec authorisation is saying can you use the shell
0:20:16	the server is replying back saying, yes they can use the shell
0:20:20	they are at privilege level 15 this is pass
0:20:24	now we go down to the individual command authorisation
0:20:28	I am asking
0:20:30	the tacacs server who is defined in tacacs commands authorisation list
0:20:34	can they say show privilege
0:20:37	the server says yes they can say show privilege
0:20:41	then the aaa client is saying can they say show
0:20:45	with the arguments ip
0:20:46	argument interface, argument brief, hit carriage return
0:20:50	server says yes
0:20:52	now if we keep going down until I get to the point where
0:20:56	I went to global config
0:20:57	so I said config terminal
0:21:00	server says yes
0:21:02	once I was in global config
0:21:05	I was issuing other commands
0:21:07	but notice here it saying config command authorisation is not enabled
0:21:14	so this means that if we were to look at the command line here
0:21:19	this command was authorised
0:21:21	this command was authorised
0:21:24	the clear counters command was authorised as was config t
0:21:28	but no interface loopback123 was not authorised
0:21:31	and then end was not authorised
0:21:34	so means that I could run these commands without having to check with the server
0:21:38	now if I did want to check those against the server
0:21:41	again what I would need to add on router 1
0:21:43	is aaa authorisation of config
0:21:47	config-commands
0:21:51	so if I go global config and I say
0:21:55	interface loopback 111
0:21:58	ip address 1.1.1.1
0:22:02	then no shut down
0:22:06	delay 1234 and then exit
0:22:09	if we look at the debug on router 1
0:22:11	we should see now the
0:22:15	server is going to be asked for all of these commands
0:22:18	so whether able to issue the delay command followed by that argument
0:22:22	whether able to issue the no command followed by shutdown
0:22:26	the server keeps saying yes over and over
0:22:29	because what the command authorisation set
0:22:32	I am saying that for any unmatched arguments
0:22:38	I am just going to allow them
0:22:41	so for the administrators this is the easiest way to do this, you simply assign them to privilege level 15
0:22:48	either under the user or under the group
0:22:50	so we can run what ever commands we are authorised to run
0:22:55	so we put them again
0:23:02	her we give them access to the shell
0:23:04	we put them at privilege level 15
0:23:07	then for the command authorisation set
0:23:10	we say
0:23:11	that whatever commands they issue
0:23:13	if they do not match what is listed here
0:23:17	I am just going to automatically permit it
0:23:24	so next lets look at a variation of this on the user
0:23:28	lets add a new user thats called read-only
0:23:32	for this particular user I want them to get into the shell
0:23:38	so the exec shell will put them at privilege level 15
0:23:42	then I want them as an individual user
0:23:46	I want to do per user command authorisation
0:23:48	for unmatched arguments I am going to deny this
0:23:52	so I have this explicit list what I want to permit or deny
0:23:56	the commandI want them to be able to run
0:23:59	is show
0:24:02	I could say the specific arguments that I want to allow, I could say
0:24:06	permit
0:24:08	ip route
0:24:10	permit ip cef
0:24:12	permit ip interface brief
0:24:16	permit interface
0:24:18	then for unlisted arguments by default, this is going to be denied
0:24:23	once I apply this
0:24:27	can it set a blank password, so lets add the password
0:24:30	user name is readonly password
0:24:34	I will say is cisco
0:24:41	if we go back to the user so readonly
0:24:45	scroll them to the command authorisation set
0:24:47	you will see that it now opens up another box if I continue to add more commands
0:24:53	I can do that beside show
0:24:55	so lets say in addition to saying show ip route, show ip cef, show ip
0:24:59	interface brief, show ip interface
0:25:01	I also want them to
0:25:03	be able to run
0:25:06	lets say the clear command
0:25:10	the clear command, I am going to allow them to run any clear command
0:25:15	with the exception of
0:25:17	ip ospf
0:25:20	I am going to deny the arguments, ip ospf
0:25:23	what for any other unlisted arguments
0:25:27	I am going to permit
0:25:30	so its just like how an access list works, in this first example
0:25:33	I am doing explicit permits
0:25:35	followed by an implicit deny
0:25:39	where in this lower case I am doing it explicit deny
0:25:42	that is followed by an implicit permit
0:25:45	this really depends on how many arguments are there, are there more than you want to permit or deny
0:25:49	thats going to determine, whether you want the unlisted arguments to be permitted or denied
0:25:55	but now if we login as this user
0:25:58	lets telnet back to router1, 200.0.0.1
0:26:02	log in as read only
0:26:04	password cisco
0:26:06	I should not be able to say show privilege
0:26:09	I should be able to say show ip route
0:26:12	I should be able to say show ip interface brief
0:26:16	show ip
0:26:20	show ip cef
0:26:23	I should not be able to say show ip ospf neighbours
0:26:27	I should be able to say clear ip route
0:26:33	I should be able to say clear
0:26:35	ip bgp *
0:26:39	I should not be able to say
0:26:42	clear ip ospf neighbours
0:26:45	I say clear ip ospf
0:26:49	any of these, I say, one process
0:26:52	command authorization failed
0:26:55	So again you could do it either way, you could permit
0:26:59	the individual command that you want and deny everything else
0:27:02	or you could deny the specific commands that you do not want them to issue
0:27:07	Now one interesting thing you could do
0:27:09	is if I wanted the user to be able to run
0:27:12	every possible command from exec mode
0:27:15	but not be able to change anything
0:27:18	what I could do is give them privilege level 15
0:27:23	authorize them to run every single command
0:27:25	with the exception of configure terminal
0:27:30	So lets say we have another user here, that says
0:27:33	nochanges
0:27:37	where this user nochanges, we have a password
0:27:40	password is cisco
0:27:43	then under the per user
0:27:48	TACACS settings
0:27:49	turn the shell on, give them privilege level 15
0:27:53	say the command authorization set is for the user
0:27:57	unmatched commands are going to be permitted
0:28:02	the command that I am going to deny
0:28:06	is configure
0:28:08	deny terminal
0:28:11	permit all other argument
0:28:15	so essentially I am saying, permit everything that is not configured
0:28:20	of configure, I am going to deny the argument terminal
0:28:23	but then any of our other arguments, I am going to permit
0:28:30	so now the end result of this
0:28:32	should be that an
0:28:34	You could see, I am no longer authorized to exit
0:28:36	the process
0:28:39	So you can end up in some weird situation with this per command authorization
0:28:42	So lets telnet back into router1
0:28:47	username is nochanges
0:28:50	password cisco
0:28:52	show privilege
0:28:55	if I say clear ip route *
0:28:58	thats fine, I say, show ip
0:29:01	show ip interface brief
0:29:04	if I say ping
0:29:06	I can do an extended ping
0:29:07	where normally someone who is not at privilege level 15, would not be able to do this
0:29:12	I could do an extended trace route
0:29:15	also I could do an extended telnet
0:29:19	but if I now try to get into global config
0:29:21	command authorization is failed
0:29:25	So its allowing me to do basically anything that is at exec mode
0:29:30	but to go beyond exec mode, I would have to say, config t
0:29:33	and this is the one that the command authorization says to deny

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

TACACS+ Command Accounting

Create Bookmark