AAA authorization with ACS 3.2
I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.
Marek
1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
HTH
Rick
Similar Messages
-
AAA Authorization with ACS Shell-Sets
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...) -
Aaa authorization with Tacacs+
Hello All,
I am trying to figure out how aaa authorization with tacacs+ works.
I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
I am totally freaked out...The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
Cisco has a pretty thorough configuration example posted here. -
Aaa authorization with Funk SBR EE
Hello,
I do not get aaa authorization with Funk SBR EE to work.
On our cisco switches I configure:
aaa authentication default group radius local
aaa authorization exec default radius local
On the Funk radius server I return
service-type login
Cisco-AVPAIR shell:priv-lvl=15
Authorization always fails and the debug output shows:
1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
What do I need to add to the radius server to make it work?
--JoergThe document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap -
AAA Authorization with RADIUS and RSA SecurID Authentication Manager
Hi there.
I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not. Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
#aaa new-model
#radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
#aaa authentication login default group radius enable
#aaa authorization exec default group radius local
I have also tried
#aaa authorization exec default group radius if-authenticated local
I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
I've turned on RADIUS debugging on the IOS device, and I dont get anything either
I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis." -- not sure if this is related to my issue?
I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurIDI don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine. -
IOS XR Command authorization with ACS server
We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
In ACS, we have two groups: Group 1 and Group 2
Group 1 allows full access in the shell command authorization set.
Group 2 allows limited access in the shell command set (basically just show commands).
Both groups can login fine (aaa authentication login default group <groupname> local)
Group 1 has full access to everything (group I am in).
Group 2 has NO access to anything (can't even perform show commands).
Group 2 CAN access other IOS devices and can perform the various show commands.
With regards to our authorization commands, we currently have it configured as:
aaa authorization commands default group <groupname> local
Why is it working for the one group, but not the other? I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with. I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
Thanks!
Kyledont have enough info to give you a full conclusive answer Kyle, but some suspicions.
Task group not set right?
Command groups not defined properly in tacacs for command author.
if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
More info here:
https://supportforums.cisco.com/docs/DOC-15944
xander -
Configuring AAA Authorization on ACS 4.1
Hi,
Can anybody provide me links to any good documentation on how to configure AAA Authorization using Command Shell on the ACS 4.1 ? I would be really grateful if someone one can point me few links.
Thanks,
MeetHi
I would try looking at this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml
This describes how to plan, design and build shell cmd auth config in ACS.
Darran -
When forcing a tunnel-group to authorize users against an AAA server-group with a corresponding ldap attribute-map in that AAA group, does that mapping of usergroup->group-policy get passed up to the DAP process?
The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap -
I have ACS configured and it works, need to grant selected users access to extended ping and extended trace route without level 15. I have configure the group settings to include permit ping and permit trace and every over variation but no extended ping is working.
The ports that Cisco Secure ACS listens to for communications with AAA clients, other Cisco Secure ACSes and applications, and web browsers. Cisco Secure ACS uses other ports to communicate with external user databases; however, it initiates those communications rather than listening to specific ports. In some cases, these ports are configurable, such as with LDAP and RADIUS token server databases. For more information about ports that a particular external user database listens to, see the documentation for that database.
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233623.html -
Per-device/per-user AAA authorization with Freeradius
Hi Folks
I'm using a Freeradius with local username database (no LDAP) for authentication.(working well)
I have various network devices in my network, and I would like to have custom authorization per user per device :
I would like to have 2 types of network admins, and 2 types of network devices, with the following rules :
-"Core devices" must be granted privilege level 15 for "Core admins"
-"Access devices" must be granted privilege level 15 for "Access admins" and "Core admins"
-"Core devices" must be granted privilege level 1 for "Access admins".
-There is now way "Access admins" can access to configuration mode on "Core devices" with enable command.
Any help and config example for freeradius and cisco side are very welcome
thanks
olivierHello Olivier,
I would like to suggest you to go to the below link . This document describes the procedure for Per-device user authentication.
http://wiki.freeradius.org/vendor/Cisco#Per-User-Privilege-Level
Hope this may help you -
AAA authorization with Cat Os on 5500 switches
Hi,
I am new to Cisco Secure and I was wondering if there is a solution to my task. I have been asked to allow only certain users the right to see the configuration on the cato os and ios based switches. The ios based switches seems doable but the cat ios doesn't. One switch I am looking at has cat os 4.5(6a) and that doesn't seem to support what I want to do. Outside of ciscoworks is there a solution?
TIA for any assistance.The Catalyst 5500's don't support command authorization until software version 5.4.
HTH
Steve -
Authorization in ACS 5.2
In ACS 5.2, when i add custom a shell profile to a rule in an authorization policy (used in a TACAS access service) it seems to be skipped.
I can see the rule is hit because the hitcount number increases (it hits because of the group id), and when i set the shell profile to deny access (as test), access is actually rejected. So i know the rule is hit, but anything i put in my custom shell profile at the common tasks tab (like an auto command or default/maximum privilege level) is not used.
The same goes for commands sets. When i add the set 'deny all commands' the user is still able to exceute all commands, although the rule is hit based on the group ID the user belongs to.
I must be doing something wrong, but i can't find my mistake.@ Edward; Same here, no authorization logging.
@ Nicolas; thanks for picking this up.
First of all, these are my AAA lines in the test 2901, running IOS 15.0.
aaa authentication login ACS-TAC group tacacs+ local
aaa authorization exec ACS-TAC group tacacs+ local
aaa authorization commands 0 ACS-TAC group tacacs+ local
aaa authorization commands 1 ACS-TAC group tacacs+ local
aaa authorization commands 15 ACS-TAC group tacacs+ local
I created a new Access service, of which the Identity part is working fine.
These rules are in the authorization policy:
This is rule1:
This is the Shell profile, just for test:
The command set is easy, denyallcommands. I want to add a specific command set for our service desk, but not before i can get it to work.
When i change the Shell profile of rule1 to DenyAccess i am not able to logon with the service desk account, so it looks like the authorization rule is actually used. -
Shell Command Authorization Sets ACS
hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs
to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.
Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
Darra
Maybe you are looking for
-
So, the problem is, I used these school Macs right? They're school handed and stuff. Then one day I decided I want admin so I do this thing where I "reset" everything on the Macbook using this Video (at the bottom) http://www.wikihow.com/Reset-a-Lost
-
Can't download free Adobe Flash Player - Help
I tried to download free Adobe Flash Player or Adobe Reader (is the same) and appears in the screen the following message: "GetPlus+(R) The specified software requires a recent version of windows" and I can't proceed with instalation. I have already
-
How to hide the extra line when use the AI pen tool
When I use AI CC pen tool to draw a line, when i click the 1st anchor point, " - " shows next to the Poniter ( I did not drag ) ,I tried to move, but an extra line coming out before I click another point. So I could not draw lines or curves! Tha
-
How to manually retrieve Default Client Settings again
I have a question about Default Client Settings in SCCM 2012. In our Default Client Settings we've added two AD groups for Viewers of Remote Control and Remote Assistance (Administration>Client Settings>Default Client Settings>Properties>Remote Tools
-
I tried it and it works great!
I have my notebook for 4 days now, lastnight i touched the screen by accident and it made a mark. I took a napkin and wet it alittle and started rubbing the mark in a circular motion. Then i stopped buffing it and removed the napkin only to see it go