IOS-XE (5760, 3850, 3650) WebUI Priviledge-Level Based Access Control
You need to create 2 profiles for the 2 different types of access .Privilege 15 in the cisco tacacs world means providing full access to the device without any restrictions. Privilege 1 on the other hand will allow you to login and execute limited amount of commands .Below is a short description of the levels of access provided by cisco.
- privilege level 1 = non-privileged (prompt is router>), the default level for logging in
· privilege level 15 = privileged (prompt is router#), the level after going into enable mode
· privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout
On 5760, levels 2-14 are considered the same as level 1. They are given the same privilege as 1. Do not configure tacacs privilege levels for certain commands on the 5760. UI access per tabs is not supported in 5760. You can either have full access (priv15) or only access to the Monitor tab (priv1). If not all users will be given Priv 15. Also, Users with privilege level 0 are not alowed to login.
Command sets are sets of commands used by all the tacacs devices.They can be used to restrict the commands that a user is allowed to use if assigned that specific profile. Since on the 5760, restriction is done on the Webui code based on the privilege level passed, the command sets for both priv1 and priv 15 are the same.
- Radius/Tacacs server needs to be configured.
tacacs server tac_acct
address ipv4 22.214.171.124
- Configure the server group
aaa group server tacacs+ gtac
server name tac_acct
- configure authentication and authorization method lists
aaa authentication login
aaa authorization exec
aaa authorization exec default group
For example, if command authorization needs to enabled, it also needs to be pointing to the same database.
aaa authorisation commands 15
- configure http to use the above method lists
ip http authentication aaa login-auth
ip http authentication aaa exec-auth
- Do not configure any method-lists on the “line vty" config parameters. If the above steps and the line vty have different configs, then line vty configs would take precedence.
- The database should be the same across all management configuration types like ssh/telnet and webui.
- Http authentication should have the method list defined explicitly.