One of the most common requests regarding TACACS+, that I get, relates to restricting CLI access using command authorization on IOS. Usually my customers want to ensure that a group of users can only execute some show commands for monitoring purpose. Though command authorization works well, it does leave a scope for increased privilege due to configuration mistakes. That brings me to the topic of this article – Not Everyone requires access to the CLI. We do not really need to give everyone access to the command line. This article discusses an alternative to command authorization.
For monitoring purposes, we can configure the user profile such that a command is executed immediately after login and the user is disconnected. This can be used to execute a single command or bring up a text-based menu consisting of a bunch of commands. This can achieved using the autocommand attribute in the user profile. Since this is a user/group profile based attribute, it can be different for each user/group. This attribute can be configured for users defined on a TACACS+ server as well as the local users defined on IOS.
For this article, I am going to configure a local user with the autocommand attribute that will display a menu after the user logs in. Once the user exits the menu, the device will close the session.
A sample menu with some basic show commands is shown below:
menu test title ^C Monitoring Menu ^C
menu test text Select Option:
menu test text 1 Show Configuration
menu test command 1 show running-config
menu test options 1 pause
menu test text 2 Show Active Interfaces
menu test command 2 show ip interface brief | e una
menu test options 2 pause
menu test text 3 Show Version
menu test command 3 show version
menu test options 3 pause
menu test text 4 Show Routing Table
menu test command 4 show ip route
menu test options 4 pause
menu test text 5 Exit
menu test command 5 Exit
menu test clear-screen
menu test line-mode
The AAA configuration and the user profile used is given below:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username monitor privilege 15 password cisco123
Note that EXEC authorization has been enabled and the user has been given privilege level 15. If this is not done, privilege 15 commands will not be executed when used with autocommand.
To bind the menu to the user login, use the following command:
username monitor autocommand menu test
Though local database is used in the example here, a TACACS+ server can be used as easily. In the user profile on the TACACS+ server, enable the autocommand attribute and define the command to be executed as the attribute value. In addition to that, ensure that Privilege Level attribute is selected with the value set to 15.
Using the autocommand attribute, you can ensure that users have access to the commands they absolutely require without actual CLI access. Another benefit of this option is that users with limited or no knowledge of IOS, can be given a menu based option to perform monitoring tasks.