Tuesday, December 14, 2010

ASA: AAA authorization with TACACS+

I have to admit, this was a tricky one! I have scoured the web for sometime now in an effort to accomplish AAA authorization, but using TACACS. While "downloadables ACLs" with RADIUS accomplish this and more relatively easily, getting TACACS to authorize is a bit more obscure.

access-list redzone permit tcp any host eq telnet
access-list redzone permit tcp any host eq http

aaa-server taca1 protocol tacacs
aaa-server taca1 (outside) host
key xxxx

aaa authentication match redzone outside taca1
aaa authorization match redzone outside taca1

Now for the interesting part:

On the ACS server, create a user and assign a "shell command authorization set" which specifes, for example here:

command: telnet
arg: permit

command: http
arg: permit

Please make sure you use the regular "shell command authorization and not the PIX/IOS set.

No comments:

Post a Comment