Protecting your Cisco routers (all your co-workers don't really need access to the Command-Line Interface)

Using Autocommand to limit access

One of the most common requests regarding TACACS+, that I get, relates to restricting CLI access using command authorization on IOS.  Usually my customers want to ensure that a group of users can only execute some show commands for monitoring purpose. Though command authorization works well, it does leave a scope for increased privilege due to configuration mistakes. That brings me to the topic of this article – Not Everyone requires access to the CLI. We do not really need to give everyone access to the command line. This article discusses an alternative to command authorization.

For monitoring purposes, we can configure the user profile such that a command is executed immediately after login and the user is disconnected. This can be used to execute a single command or bring up a text-based menu consisting of a bunch of commands. This can achieved using the autocommand attribute in the user profile. Since this is a user/group profile based attribute, it can be different for each user/group. This attribute can be configured for users defined on a TACACS+ server as well as the local users defined on IOS.

For this article, I am going to configure a local user with the autocommand attribute that will display a menu after the user logs in. Once the user exits the menu, the device will close the session.

A sample menu with some basic show commands is shown below:

menu test title ^C Monitoring Menu ^C

menu test text Select Option:

menu test text 1 Show Configuration

menu test command 1 show running-config

menu test options 1 pause

menu test text 2 Show Active Interfaces

menu test command 2 show ip interface brief | e una

menu test options 2 pause

menu test text 3 Show Version

menu test command 3 show version

menu test options 3 pause

menu test text 4 Show Routing Table

menu test command 4 show ip route

menu test options 4 pause

menu test text 5 Exit

menu test command 5 Exit

menu test clear-screen

menu test line-mode

The AAA configuration and the user profile used is given below:

aaa new-model

aaa authentication login default local

aaa authorization exec default local

username monitor privilege 15 password cisco123

Note that EXEC authorization has been enabled and the user has been given privilege level 15. If this is not done, privilege 15 commands will not be executed when used with autocommand.

To bind the menu to the user login, use the following command:

username monitor autocommand menu test

Though local database is used in the example here, a TACACS+ server can be used as easily. In the user profile on the TACACS+ server, enable the autocommand attribute and define the command to be executed as the attribute value. In addition to that, ensure that Privilege Level attribute is selected with the value set to 15.

Using the autocommand attribute, you can ensure that users have access to the commands they absolutely require without actual CLI access. Another benefit of this option is that users with limited or no knowledge of IOS, can be given a menu based option to perform monitoring tasks.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.