Authorization
This scenario shows how to set up per-command authorization.
Tacacs Method Privileged User
Description
A TACACS+ server configured to deny the show date
command and allow everything else is added to a TACACS+ group, which
is added to an AAA list. This list is assigned to CLI’s command
authorization. Whenever a user attempts to run a command, this is sent
to the server and is only executed when authorized to do so.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18G2HLGGHaZXbIpZheuIlGTBCG0XFHPCAg= set system cli aaa authorization list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$z/yqADx2NdC0at9f$yzCFtpn4HEnwxj7/a5./pQ8Ef0.5Z9tVyHGrm1SvelOzbPTrDrw.clpMRRDzXThw39ZEcV1bAzEVfE5p.Jare/' set system login user testadmin role admin
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.083 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.083/0.083/0.083/0.000 ms
Step 3: Run command show version at DUT0 and expect this output:
Show output
OS vendor: Teldat OS name: OSDx OS version: v4.2.1.2 OS Linux kernel: 6.1.90 OS built by: jenkins@daphne OS build date: Tue Dec 3 11:56:29 UTC 2024 OS installation: physical OS boot mode: user License: VM_BASE Firewall eth-Rate-Permit-Full Hardware vendor: QEMU Hardware model: VM Hardware OEM model: Standard PC (i440FX + PIIX, 1996) Hardware version: pc-i440fx-5.2 Hardware UUID: 25e1e4f6-d652-51f2-aa7e-7ae3d1e0da19 Hardware architecture: amd64 Hardware fwid: iso Hardware base MAC: de:ad:be:ef:6c:00 Hardware cpu: 4 x QEMU Virtual CPU version 2.5+ (4 cores) Last reboot reason: Panic Date: Tue 03 Dec 2024 14:54:51 +00:00 Uptime: 2:10:30 CPU load (1m, 5m, 15m): 0.18 0.16 0.14 CPU usage % (1m): 4.95 Storage usage (kB): 367936/8144384 Memory usage (kB): 418404/1570524 Users logged in: 1 Mode (current/next boot): user/user Hostname: osdx
Step 4: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Note
Commands are expanded before being sent to the authorization server
Step 5: Run command sh da at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Step 6: Run command show running at DUT0 and expect this output:
Show output
# Teldat OSDx VM version v4.2.1.2 # Tue 03 Dec 2024 14:54:51 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18G2HLGGHaZXbIpZheuIlGTBCG0XFHPCAg= set system cli aaa authorization list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$z/yqADx2NdC0at9f$yzCFtpn4HEnwxj7/a5./pQ8Ef0.5Z9tVyHGrm1SvelOzbPTrDrw.clpMRRDzXThw39ZEcV1bAzEVfE5p.Jare/' set system login user testadmin role admin
Tacacs Method Non-Privileged User
Description
In this case, the same scenario is tested but with a non-privileged user called testmonitor.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX196R7bEaD5sdZNM/isZ44U82DIdQQDVnVk= set system cli aaa authorization list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testmonitor authentication encrypted-password '$6$WvsnG5lARvsAe1Xz$c0lBpIJLPRI10seTmOh65EeR8iMAANhqcANQ.o1W6qKuIRFPwCzJ7ZXljKJfuK2FQPK9j3wC5y8m9L22fKjCQ0' set system login user testmonitor role monitor
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.069 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.069/0.069/0.069/0.000 ms
Step 3: Run command show version at DUT0 and expect this output:
Show output
OS vendor: Teldat OS name: OSDx OS version: v4.2.1.2 OS Linux kernel: 6.1.90 OS built by: jenkins@daphne OS build date: Tue Dec 3 11:56:29 UTC 2024 OS installation: physical OS boot mode: user License: VM_BASE Firewall eth-Rate-Permit-Full Hardware vendor: QEMU Hardware model: VM Hardware OEM model: Standard PC (i440FX + PIIX, 1996) Hardware version: pc-i440fx-5.2 Hardware UUID: 25e1e4f6-d652-51f2-aa7e-7ae3d1e0da19 Hardware architecture: amd64 Hardware fwid: iso Hardware base MAC: de:ad:be:ef:6c:00 Hardware cpu: 4 x QEMU Virtual CPU version 2.5+ (4 cores) Last reboot reason: Panic Date: Tue 03 Dec 2024 14:55:00 +00:00 Uptime: 2:10:39 CPU load (1m, 5m, 15m): 0.15 0.16 0.13 CPU usage % (1m): 5.19 Storage usage (kB): 367936/8144384 Memory usage (kB): 415048/1570524 Users logged in: 1 Mode (current/next boot): user/user Hostname: osdx
Step 4: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Step 5: Run command show running at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges