TACACS+ command auth for a 2950T and ACS 3.2


The config of the switch is here:
2950G#sh run
Building configuration...

Current configuration : 3535 bytes
!
! Last configuration change at 15:08:10 UTC Thu Aug 31 2006 by test
! NVRAM config last updated at 15:08:11 UTC Thu Aug 31 2006 by test
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname 2950G
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console_line local
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
enable secret 5 $1$z5AN$wq3mjQk1itT9YO77l.p6X1
!
username local password 0 local
username test secret 5 $1$QURB$JryW500lA2gaY4Ua7QTp8.
username cisco secret 5 $1$.LUq$4sHzx/Kmp79qbjDpIlUye0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
ip subnet-zero
!
ip name-server 10.1.1.254
ip ssh time-out 120
ip ssh authentication-retries 3
vtp domain icc
vtp mode transparent
cluster enable 2590cluster 0
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
vlan 10,20,100
!
interface FastEthernet0/1
 description itest
 spanning-tree portfast
!
########################## snip ######################
!
interface FastEthernet0/24
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport mode access
 switchport nonegotiate
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet0/2
 spanning-tree portfast
!
########################## snip ######################
!
line con 0
 login authentication console_line
line vty 0 4
 exec-timeout 60 0
line vty 5 15
 exec-timeout 60 0
!
ntp clock-period 17180199
ntp server 216.52.237.153
!
end

2950G#


I  used a group called 'console_line' for the console to avoid any of my mistakes cutting me off from the console, and added the option local after tacacs+  so if connection to the server is lost it will use a local password.

user 'local' doesn't work - I don't know why - user test with a secret password works fine !

The rest of the work is done on the ACS server - see screenies below

User Setup This is the User config - most config done At the Group level
group Group Config - Allowing Shell access, and assigning an Auth set.  

NB. the group for 'super users' uses the Per Group Auth setting with un-matched set to permit .e.g. permit any
Auth Set Auth Set with various commands - here you see how I permitted access to the FE ports but denied Gig - (I can't think of a way 'round this but there may be! )

for the 'shutdown' command I had to tick the
Permit Unmatched Args box
no command has  permit shutdown as the arg.
admin log Here you can see the logging of the commands that are permitted.

Failed authentications logs any commands that weren't allowed