RBAC Admin is getting full access

abhijith891 · ‎06-04-2018

Hello everyone,

I am creating an RBAC admin for a particular router; but he ends up getting access to all other firewalls as well. Now I am not sure how this is happening; so here are the steps which i followed.

1) Created a User-Group ; created the user and then assigned that user to that group.

2) Command Sets - default; Shell Profile - Max & Default Privilege = 15

2) Created a policy set and applied the condition to extract that device.

3) Authentication - default

4) Authorization - Conditions(user group) + [Command Sets + Shell Profile]

When i login to that particular router; i am getting a hit count on that authentication & authorization policies... but i am also able to access the firewalls and other devices with that username/password. When I checked the TACACS live logs; its showing that the login is allowed by All-Firewall>>Default and the shell profile as Security Device Admin. So can someone please help me out on this?

Ben Walters · ‎06-04-2018

It seems like you have a default policy allowing access to all devices instead of a denying access.

When you look at the logs does it match with the policy set you created or does it also hit a default rule somewhere in there when you log in to the specified device with the correct user? That would point to where you need to make changes in the policy sets.

Also, are you specifying the authentication and authorization for that specific router? It should be included in your criteria that "User X and router Y give Z access and priv."

abhijith891 · ‎06-07-2018

Hi Ben,

Those were exactly my policy. The problem is the account is matching on the “All-Firewalls” policy set. I am not able to figure out what options to use to filter out the traffic. So can you please suggest me the steps?