AAA command authorization in ACE

How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
Kind regards
Ullas

Hi,
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
HTH
Cathy

Similar Messages

  • AAA command authorization ASA

    I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
    Current commands
    aaa authentication ssh console CSACS-TACACS+
    aaa authentication http console CSACS-TACACS+
    Entered commands
    aaa authentication enable console CSACS-TACACS+
    aaa authorization command CSACS-TACACS+

    Douglas,
    Try the following configuration:
    aaa authentication ssh console CSACS-TACACS+
    aaa authentication http console CSACS-TACACS+
    aaa authentication enable console CSACS-TACACS+
    With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
    Remember to keep another session open in privilege mode before testing "
    aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

  • AAA Command Authorization

    I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?

    It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
    Thanks again.

  • ASDM (ASA9.1) won't fully initiated when configured AAA command authorization

    ASA doesn't have any local account, all authentications is done via AAA.
    On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
    Group A can login to ASDM without any problems.
    Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
    I suspect it's somewhere in permisssion, can someone help? thanks.
    Leo Song

    Hello,
    There are some commands that are required in order to load the ASDM
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command blocks
    Make sure you have them
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Nexus, command authorization using TACACS.

    Hello.
    Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
    Thanks.
    Regards.
    Andrea

    Hi Andrea,
    We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
    username admin password role network-admin ; local admin user
    feature tacacs+ ; enable the tacacs feature
    tacacs-server host key ; define key for tacacs server
    aaa group server tacacs+ tacacs ; create group called 'tacacs'
        server ;define tacacs server IP
        use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
        source-interface mgmt0 ; ...and send them from the mgmt interface
    aaa authentication login default group tacacs ; use tacacs for login auth
    aaa authentication login console group tacacs  ; use tacacs for console login auth
    aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
    aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
    aaa accounting default group tacacs ; send accounting records to tacacs
    Hope that works for you!
    (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
    Rob...

  • Failover exec and command authorization

    Hi, got into a dead end here. I have a pair of ASA firewalls running as active/standby. I'd like to use the 'failover exec' to issue commands on the standby firewall via the active one. This shouldn't be a problem, but we have AAA command authorization configured. And when the active ASA tries to issue a command on the stadby ASA, it gets a 'authorization denied' message. At the ACS we see the auth request being denied, the ASA sends the request using the 'enable_1' user, instead of using the same user connected to the active ASA.
    Any clues on how to go around this?
    thanks!

    Remote command execution lets you send commands entered at the command line to a specific failover peer.
    Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged-in to. For example, if you are logged-in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.
    To send a command to a failover peer, perform the steps given in the below URL:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1154924
    The below URL helps you in configuring the Active/standby failover:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096

  • Command authorization failed

    I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
    ============================
    EUKFW2# show running-config
    ^
    ERROR: % Invalid input detected at '^' marker.
    ERROR: Command authorization failed
    ============================
    I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

    No there is no default user. To make him login you need to make changes in the command author set.
    Make one command autho set in acs --->shared profile components.
    add-->give any name "Full access "---> Put radio button to permit and submit.
    Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
    Now it should let you in.
    Caution : This is let that uses to issue all commands
    Find attached the way to set up command authorization.
    Trick here is to give all user prov lvl 15 and then apply command autho set.
    Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
    Regards,
    ~JG
    Please rate if helps

  • Command authorization error when using aaa cache

    Hi,
    I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
    % tty2 Unknown authorization method 6 set for list command
    The command is then always authorized against the tacacs server.
    The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
    I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
    Deleting the cache entry and using only the tacacs group the error message disappears.
    Any suggestions?
    Thanks.
    Frank
    ======
    config
    ======
    aaa new-model
    aaa group server tacacs+ group_tacacs
    server 10.10.10.10
    server 10.10.10.11
    cache expiry 12
    cache authorization profile admin_user
    cache authentication profile admin_user
    aaa authentication login default cache group_tacacs group group_tacacs local
    aaa authentication enable default cache group_tacacs group group_tacacs enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default cache group_tacacs group group_tacacs local
    aaa authorization commands 15 default cache group_tacacs group group_tacacs local
    aaa accounting exec default start-stop group group_tacacs
    aaa cache profile admin_user
    profile admin no-auth
    aaa session-id common
    tacacs-server host 10.10.10.10 single-connection
    tacacs-server host 10.10.10.11 single-connection
    tacacs-server directed-request
    tacacs-server key 7 <removed>
    ============
    debug output
    ============
    ap#
    Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
    Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
    Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
    Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
    Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
    Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
    Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
    Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
    ap#
    Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
    Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
    Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
    Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
    Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
    Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
    Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
    Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
    priv=15 vrf= (id=0)

    Hi,
    I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
    Regards,
    Vivek

  • Restrict aaa access using command authorization windows acs3.6

    i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
    any help appreciated

    On the router there's a:
    aaa authorization config-commands
    command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.

  • 3640 - AAA/AUTHOR: config command authorization not enabled

    Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
    I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
    I attach you the files with config and logs.
    Thanks you in advance.

    Yep! I'm really running 12.1!
    I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
    Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
    sh run | i aaa
    aaa new-model
    aaa authentication attempts login 5
    aaa authentication banner ^C
    aaa authentication fail-message ^C
    aaa authentication login My-RADIUS group radius local
    aaa accounting exec My-RADIUS start-stop group radius
    aaa session-id common
    Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
    Let me know what other thoughts you may have.
    Thanks
    Nik

  • Configuring aaa local command authorization

    i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

    Hi,
    For aaa authorization command set.Kindly refer to link.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
    I hope this help.Please rate this post.
    cheers
    Sachin

  • AAA -- Int range configuration gives "Command authorization failed" msg.

    Versions involved:
    AAA
    ACS 4.1.4.13.12
    Devices:
    C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
    C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
    If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
    HOST1184(config)#int range fastEthernet 0/1 - 3
    HOST1184(config-if-range)# switchport access vlan 24
    HOST1184(config-if-range)# switchport mode access
    HOST1184(config-if-range)# switchport voice vlan 301
    HOST1184(config-if-range)# dot1x pae authenticator
    HOST1184(config-if-range)# dot1x port-control auto
    HOST1184(config-if-range)# dot1x timeout reauth-period 7200
    HOST1184(config-if-range)# dot1x timeout supp-timeout 120
    HOST1184(config-if-range)# dot1x max-req 1
    HOST1184(config-if-range)# dot1x max-reauth-req 1
    HOST1184(config-if-range)# dot1x reauthentication
    HOST1184(config-if-range)# dot1x guest-vlan 280
    HOST1184(config-if-range)# spanning-tree portfast
    HOST1184(config-if-range)#!
    OST1184(config-if-range)#end
    HOST1184#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    HOST1184(config)#int range fastEthernet 0/4 - 14
    HOST1184(config-if-range)# switchport access vlan 24
    Command authorization failed.
    Command authorization failed.
    Command authorization failed.
    HOST1184(config-if-range)# switchport mode access
    HOST1184(config-if-range)# switchport voice vlan 301
    HOST1184(config-if-range)# dot1x pae authenticator
    HOST1184(config-if-range)# dot1x port-control auto
    Command authorization failed.
    HOST1184(config-if-range)# dot1x timeout reauth-period 7200
    Command authorization failed.
    HOST1184(config-if-range)# dot1x timeout supp-timeout 120
    Command authorization failed.
    HOST1184(config-if-range)# dot1x max-req 1
    Command authorization failed.
    HOST1184(config-if-range)# dot1x max-reauth-req 1
    Command authorization failed.
    HOST1184(config-if-range)# dot1x reauthentication
    Command authorization failed.
    HOST1184(config-if-range)# dot1x guest-vlan 280
    Command authorization failed.
    HOST1184(config-if-range)# spanning-tree portfast
    Command authorization failed.
    HOST1184(config-if-range)#!
    The pieces of config are as follows:
    aaa new-model
    aaa group server radius dot1x
    server 10.61.156.136 auth-port 1812 acct-port 1813
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group dot1x
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated none
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    enable secret 5 <removed>
    logging 10.142.4.45
    snmp-server community <removed> RO
    snmp-server community <removed> RW
    snmp-server location "SD"
    snmp-server contact contact - [email protected]
    tacacs-server host A.B.C.D timeout 5 key <removed>
    tacacs-server host A.B.C.D timeout 5 key <removed>
    tacacs-server host A.B.C.D timeout 5 key <removed>
    no tacacs-server directed-request
    radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
    radius-server retransmit 3
    Anyone out there has a solution for such a problem?
    Regards,
    AL

    Hi JG, thanks for your response.
    I don't have the appliance close to me, so I cannot check on this setting.
    As soon as I have a chance, I will return with this info.
    Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
    Once again, thanks for your reply.
    Regards,
    AL

  • Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request' % Incomplete command.

    we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
    no any command execute and get error.
    Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
    % Incomplete command.
    please help.

    Hi Anop
    How did you get over this problem? I am having the same issue.
    Regards
    Rohan

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • Command authorization issue.

    Hello.
    I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
    The shell command set that I'm using is a "permit unmatched commands".
    Any idea?
    Thanks.
    Andrea

    What you're experiencing is a known defect:
    CSCtg38468    cat4k/IOS: banner exec failed with blank characters
    Symptom:
    %PARSE_RC-4-PRC_NON_COMPLIANCE:
    The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
    Conditions:
    Problem happens, when AAA authorization is used together with TACACS+
    Workaround:
    Make sure there is no blank character at the begining of line in the banner message.
    Problem Details: trying to configure banner exec with blank character at beginning of line failed.
    This happens when configuring the banner exec via telnet/ssh !
    When configuring the same banner exec via console-port, everything is fine.
    Note the blank characters at beginning of each line. When removing those, banner exec works fine.
    Again, this was working till IOS version 12.2(46)SG.
    Beginning with 12.2(50)SG1 and up, the behaviour has changed.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

Maybe you are looking for