I have to admit, this was a tricky one! I have scoured the web for sometime now in an effort to accomplish AAA authorization, but using TACACS. While "downloadables ACLs" with RADIUS accomplish this and more relatively easily, getting TACACS to authorize is a bit more obscure.
access-list redzone permit tcp any host 10.35.0.0 255.255.255.0 eq telnet
access-list redzone permit tcp any host 10.35.0.0.0 255.255.255.0 eq http
aaa-server taca1 protocol tacacs
aaa-server taca1 (outside) host 172.30.3.100
key xxxx
aaa authentication match redzone outside taca1
aaa authorization match redzone outside taca1
Now for the interesting part:
On the ACS server, create a user and assign a "shell command authorization set" which specifes, for example here:
command: telnet
arg: permit 10.35.0.100
command: http
arg: permit 10.35.0.100
Please make sure you use the regular "shell command authorization and not the PIX/IOS set.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment