AAA command authorization in ACE
How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
Kind regards
Ullas
Hi,
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
HTH
Cathy
Similar Messages
-
I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
Current commands
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
Entered commands
aaa authentication enable console CSACS-TACACS+
aaa authorization command CSACS-TACACS+Douglas,
Try the following configuration:
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
aaa authentication enable console CSACS-TACACS+
With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
Remember to keep another session open in privilege mode before testing "
aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report. -
I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?
It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
Thanks again. -
ASDM (ASA9.1) won't fully initiated when configured AAA command authorization
ASA doesn't have any local account, all authentications is done via AAA.
On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
Group A can login to ASDM without any problems.
Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
I suspect it's somewhere in permisssion, can someone help? thanks.
Leo SongHello,
There are some commands that are required in order to load the ASDM
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command blocks
Make sure you have them
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Nexus, command authorization using TACACS.
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
AndreaHi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
server ;define tacacs server IP
use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob... -
Failover exec and command authorization
Hi, got into a dead end here. I have a pair of ASA firewalls running as active/standby. I'd like to use the 'failover exec' to issue commands on the standby firewall via the active one. This shouldn't be a problem, but we have AAA command authorization configured. And when the active ASA tries to issue a command on the stadby ASA, it gets a 'authorization denied' message. At the ACS we see the auth request being denied, the ASA sends the request using the 'enable_1' user, instead of using the same user connected to the active ASA.
Any clues on how to go around this?
thanks!Remote command execution lets you send commands entered at the command line to a specific failover peer.
Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged-in to. For example, if you are logged-in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.
To send a command to a failover peer, perform the steps given in the below URL:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1154924
The below URL helps you in configuring the Active/standby failover:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096 -
I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
============================
EUKFW2# show running-config
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
============================
I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?No there is no default user. To make him login you need to make changes in the command author set.
Make one command autho set in acs --->shared profile components.
add-->give any name "Full access "---> Put radio button to permit and submit.
Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
Now it should let you in.
Caution : This is let that uses to issue all commands
Find attached the way to set up command authorization.
Trick here is to give all user prov lvl 15 and then apply command autho set.
Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
Regards,
~JG
Please rate if helps -
Command authorization error when using aaa cache
Hi,
I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
% tty2 Unknown authorization method 6 set for list command
The command is then always authorized against the tacacs server.
The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
Deleting the cache entry and using only the tacacs group the error message disappears.
Any suggestions?
Thanks.
Frank
======
config
======
aaa new-model
aaa group server tacacs+ group_tacacs
server 10.10.10.10
server 10.10.10.11
cache expiry 12
cache authorization profile admin_user
cache authentication profile admin_user
aaa authentication login default cache group_tacacs group group_tacacs local
aaa authentication enable default cache group_tacacs group group_tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default cache group_tacacs group group_tacacs local
aaa authorization commands 15 default cache group_tacacs group group_tacacs local
aaa accounting exec default start-stop group group_tacacs
aaa cache profile admin_user
profile admin no-auth
aaa session-id common
tacacs-server host 10.10.10.10 single-connection
tacacs-server host 10.10.10.11 single-connection
tacacs-server directed-request
tacacs-server key 7 <removed>
============
debug output
============
ap#
Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
ap#
Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
priv=15 vrf= (id=0)Hi,
I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
Regards,
Vivek -
Restrict aaa access using command authorization windows acs3.6
i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
any help appreciatedOn the router there's a:
aaa authorization config-commands
command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands. -
3640 - AAA/AUTHOR: config command authorization not enabled
Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
I attach you the files with config and logs.
Thanks you in advance.Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik -
Configuring aaa local command authorization
i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..
Hi,
For aaa authorization command set.Kindly refer to link.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
I hope this help.Please rate this post.
cheers
Sachin -
AAA -- Int range configuration gives "Command authorization failed" msg.
Versions involved:
AAA
ACS 4.1.4.13.12
Devices:
C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
HOST1184(config)#int range fastEthernet 0/1 - 3
HOST1184(config-if-range)# switchport access vlan 24
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
HOST1184(config-if-range)# dot1x max-req 1
HOST1184(config-if-range)# dot1x max-reauth-req 1
HOST1184(config-if-range)# dot1x reauthentication
HOST1184(config-if-range)# dot1x guest-vlan 280
HOST1184(config-if-range)# spanning-tree portfast
HOST1184(config-if-range)#!
OST1184(config-if-range)#end
HOST1184#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HOST1184(config)#int range fastEthernet 0/4 - 14
HOST1184(config-if-range)# switchport access vlan 24
Command authorization failed.
Command authorization failed.
Command authorization failed.
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
Command authorization failed.
HOST1184(config-if-range)# dot1x max-req 1
Command authorization failed.
HOST1184(config-if-range)# dot1x max-reauth-req 1
Command authorization failed.
HOST1184(config-if-range)# dot1x reauthentication
Command authorization failed.
HOST1184(config-if-range)# dot1x guest-vlan 280
Command authorization failed.
HOST1184(config-if-range)# spanning-tree portfast
Command authorization failed.
HOST1184(config-if-range)#!
The pieces of config are as follows:
aaa new-model
aaa group server radius dot1x
server 10.61.156.136 auth-port 1812 acct-port 1813
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group dot1x
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
enable secret 5 <removed>
logging 10.142.4.45
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location "SD"
snmp-server contact contact - [email protected]
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
no tacacs-server directed-request
radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
radius-server retransmit 3
Anyone out there has a solution for such a problem?
Regards,
ALHi JG, thanks for your response.
I don't have the appliance close to me, so I cannot check on this setting.
As soon as I have a chance, I will return with this info.
Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
Once again, thanks for your reply.
Regards,
AL -
we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
no any command execute and get error.
Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.
please help.Hi Anop
How did you get over this problem? I am having the same issue.
Regards
Rohan -
Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets
Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
Command authorization issue.
Hello.
I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
The shell command set that I'm using is a "permit unmatched commands".
Any idea?
Thanks.
AndreaWhat you're experiencing is a known defect:
CSCtg38468 cat4k/IOS: banner exec failed with blank characters
Symptom:
%PARSE_RC-4-PRC_NON_COMPLIANCE:
The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
Conditions:
Problem happens, when AAA authorization is used together with TACACS+
Workaround:
Make sure there is no blank character at the begining of line in the banner message.
Problem Details: trying to configure banner exec with blank character at beginning of line failed.
This happens when configuring the banner exec via telnet/ssh !
When configuring the same banner exec via console-port, everything is fine.
Note the blank characters at beginning of each line. When removing those, banner exec works fine.
Again, this was working till IOS version 12.2(46)SG.
Beginning with 12.2(50)SG1 and up, the behaviour has changed.
~BR
Jatin Katyal
**Do rate helpful posts**
Maybe you are looking for
-
AirPlaying avi movies to Apple TV
Let's try this one: 1. AVI movie file that plays in QuickTime - saved as reference movie file using QT 7 Pro 2. Reference file added to the iTunes library plays the avi movie in iTunes from it's original location without any problems Can I AirPlay it
-
How to get a recipt in "Mail"?
Is there a way to know whether a receiver has read my mail? Thanks iMac G5 Mac OS X (10.4.3)
-
i tried to add a footnote and check the square in the inspector tab, and nothing happend
-
What are the best DVD ripping settings to avoid a choppy QT performance?
I ripped some of my DVDs with Handbreak, and I put them on my PB 12" running 10.4.5 and Quicktime 7.0.4. The performance is really bad with H264 code, and acceptable with standard mpeg4 codec (I occasionally get some stuttering). Which of the followi
-
Right, so now Apple have decided to make a complete U-Turn in Application Avenue with the latest update, (1.1.3) and allow Third Party apps, what's the story so far? Are the apps made for jailbroken iPhones installable (if thats a word) now? (and if