IOS-XE (5760, 3850, 3650) WebUI Priviledge-Level Based Access Control

Introduction
The below document will explain how to create Cisco ACS Tacacs+ authentication authorization profiles with different privilege levels in cisco ACS 5.2 and Integrate it with 5760 for access to WebUI. This feature is supported from 3.6.3 onwards.

Create a few test users
pic1.png

Setting up Policy elements and shell profiles

You need to create 2 profiles for the 2 different types of access .Privilege 15 in the cisco tacacs world means providing full access to the device without any restrictions. Privilege 1 on the other hand will allow you to login and execute limited amount of commands .Below is a short description of the levels of access provided by cisco.

  • privilege level 1 = non-privileged (prompt is router>), the default level for logging in
    · privilege level 15 = privileged (prompt is router#), the level after going into enable mode
    · privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

On 5760, levels 2-14 are considered the same as level 1. They are given the same privilege as 1. Do not configure tacacs privilege levels for certain commands on the 5760. UI access per tabs is not supported in 5760. You can either have full access (priv15) or only access to the Monitor tab (priv1). If not all users will be given Priv 15. Also, Users with privilege level 0 are not alowed to login.

Creating privilege 15 level shell access profile
Using the below print screen create that profile

pic2.png

Creating command sets for admin user

Command sets are sets of commands used by all the tacacs devices.They can be used to restrict the commands that a user is allowed to use if assigned that specific profile. Since on the 5760, restriction is done on the Webui code based on the privilege level passed, the command sets for both priv1 and priv 15 are the same.

pic3.png

Creating shell profile for read only user

pic4.png

Create a service selection rule to match the tacacs protocol

pic5.jpg

Create authorization policy for full administration access.

The Default Device Admin policy used with tacacs protocol selection is selected as part of the evaluation policy process. When you are using tacacs protocol to authenticate the service policy selected is called Default Device Admin policy.That policy in itself comprises of 2 sections .Identiy meaning who the user is and what group does he belong local or external and what he is allowed to do according the he authorization profile configured.

pic6.png

Create authorization policy for read only administration access.

In the below print screen assign read only privilege profile called priv1

pic7.png

Configuring the 5760 for tacacs

  1. Radius/Tacacs server needs to be configured.

tacacs server tac_acct

address ipv4 9.1.0.100

key cisco


  1. Configure the server group

aaa group server tacacs+ gtac

server name tac_acct

There are no pre-requisites till the above step.

  1. configure authentication and authorization method lists

aaa authentication login group

aaa authorization exec group srv-grp>

aaa authorization exec default group ----à workaround to get tacacs on http.


The above 3 commands and all other authentication and authorization parameters should be using the same database, either radius/tacacs or local

For example, if command authorization needs to enabled, it also needs to be pointing to the same database.

For Ex:

aaa authorisation commands 15 group ——> the server group pointing to the database (tacacs/radius or local) should be the same.


  1. configure http to use the above method lists

ip http authentication aaa login-auth ———> the method list needs to specified explicitly here, even if the method list is “default"

ip http authentication aaa exec-auth


** Points to Note
  • Do not configure any method-lists on the “line vty" config parameters. If the above steps and the line vty have different configs, then line vty configs would take precedence.
  • The database should be the same across all management configuration types like ssh/telnet and webui.
  • Http authentication should have the method list defined explicitly.

Accessing the same 5760 with the 2 different profiles

The below is a access from a priv1 user where you are given limited access
pic8.png

The below is a access from a priv15 user where you are given full access

pic9.png





comments powered by Disqus