ACS 4.2 Service denied service=shell cmd*

Similar Messages

• Author Service denied on service=shell

  Hello,
  in a ACS 3.3 environment, a service shell (exec) is enable to check user's authorization commands (outbound direction).
  Normally commands are permitted or denied according to users/groups config.
  Sometimes... the service seems disable and all authorizations fail... !
  When it happens, the Failed Attempts Log Example is as below:
  27/04/2010,10:11:35,Author failed,user1,Group1,10.1.50.21,,Command denied,service=shell cmd=http 66.xx.xx.xx,80 ----> Correct
  27/04/2010,10:11:36,Author failed,user1,Group1,10.1.50.21,,Service denied,service=shell cmd=http 66.xx.xx.xx,80 ---> Wrong, "Cmd denied" as above
  27/04/2010,10:12:10,Author failed,User2,Group2,10.1.50.22,,Service denied,service=shell cmd=https 213.xx.xx.xx,443 ---> Wrong, normally it's permit
  27/04/2010,10:12:32,Author failed,User3,Group3,10.1.50.24,,Service denied,service=shell cmd=https 212.xx.xx.xx,443 ---> Wrong, normally it's permit
  27/04/2010,10:12:32,Author failed,User4,Group4,10.1.50.26,,Service denied,service=shell cmd=https 212.xx.xx.xx,443 ---> Wrong, normally it's permit
  To restore the normal condition about authorization's check, we restart CSTacacs service, below Tacacs service's Log:
  TCS 27/04/2010 10:11:36 E 0155 4060 AAAClient1: user 'user1' using an invalid service: shell
  TCS 27/04/2010 10:12:10 E 0155 4060 AAAClient1: user 'user2' using an invalid service: shell
  TCS 27/04/2010 10:12:32 E 0155 4060 AAAClient1: user 'user3' using an invalid service: shell
  TCS 27/04/2010 10:12:32 E 0155 4060 AAAClient1: user 'user4' using an invalid service: shell
  TCS 27/04/2010 10:12:34 A 0651 2864 Server stop requested
  TCS 27/04/2010 10:12:34 A 1256 0348 Release Host Cache
  TCS 27/04/2010 10:12:34 A 1262 0348 Close Proxy Cache
  TCS 27/04/2010 10:12:34 A 1285 0348 Calling CMFini()
  TCS 27/04/2010 10:12:35 A 1287 0348 CMFini() Complete
  TCS 27/04/2010 10:12:35 A 1301 0348 Closing Password Aging
  TCS 27/04/2010 10:12:35 A 1314 0348 Closing Finished
  TCS 27/04/2010 10:12:37 A 5020 0520 CSTacacs server starting ==============================
  TCS 27/04/2010 10:12:37 A 5026 0520 Running as NT service.
  TCS 27/04/2010 10:12:38 E 1051 0520 Doing Stats
  TCS 27/04/2010 10:12:38 A 1092 0520
  **** Registry Setup ****
  TCS 27/04/2010 10:12:38 A 1119 0520 Single TCP connection operation enabled
  TCS 27/04/2010 10:12:38 A 1129 0520 Base Proxy enabled.
  TCS 27/04/2010 10:12:38 A 1196 0520 ************************
  TCS 27/04/2010 10:12:38 E 1083 0520 TACACS+ server started
  Any idea/suggest about this problem ? Is it a known "bug" ?
  Thanks a lot in advance!

  Jan,
  It seems you have command authorization configured in acs. Make sure you have shell exec checked on acs --->group set.
  Regards,
  ~JG
  Do rate helpful posts

• RPE-00249 when running a shell cmd

  Getting error RPE-02249: Control Center property Shell.security_constraint has invalid value NATIVE_JAVA . when running a shell cmd. the vlaue set in the Runtime.properties file is set to NATIVE_JAVA.
  Cannot find anything about this error. Any help would be greatly appreciated.
  Guido

  I already have the properties set as NATIVE_JAVA and restarted the service. My problem is that when running a workflow that has a user defined step in it to call a shell script, I get error 02249 (not 02248).
  Does the Workflow user need to be set up as an OS users perhaps?

• ACS 4.2 services not working

  The server is running with Windows 2003 SP2 and due to some issue it got rebooted. After reboot all services stopped working.
  CSAdmin, CSMon and CSRadius hanged in Starting state and CSLog in Stopping state. When i chaged the startuptype to manual and started these services
  i got " Could not start the CSAdmin service on Local computer. Error 1053 The service did not respond to the start or control request in a timely fashion "
  For CSLog service it gives the error message "The CSLog service on Local Computer started and then stopped. Some service stop automatically if they have
  no work to do, for example, the Performance Logs and Alerts service."
  In the eventviewer it shows "The description for Event ID ( 1 ) in Source ( CiscoAAA ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: CSAdmin, Can not initialize SchemeLayer, 74."
  While automatic startup type event viewer shows below error.
  "The description for Event ID ( 1 ) in Source ( acs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: *** ERROR *** Assertion failed: 103401 (9.0.0.1271)
  Unable to open file (C:\Program Files\CiscoSecure ACS v4.2\CSDB\acs.db) which previously opened successfully; error = 32.The description for Event ID ( 1 ) in Source ( acs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: *** ERROR *** Assertion failed: 103401 (9.0.0.1271)
  Unable to open file (C:\Program Files\CiscoSecure ACS v4.2\CSDB\acs.db) which previously opened successfully; error = 32."
  Please help me to fix this.
  Thanks

  Since we had no access to ACS windows server. We tried to take backup  from csutil but it gave schemalayer error message.As we have AV  stopped, logs files deleted from the directory, killed the stuck  services from the task manager and restarted the server. If it still not  allowing you to restart the services, most likely you need to take  backup, uninstall the ACS server and reinstall the same version of ACS  followed by restore.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• CS ACS 4.2 services stopped and can't be restarted

  Hi all,
             After the ESX server on which the CS ACS server on has crased, the following services has stopped and can't be restarted: CSlog, CSDbSync, and CSAuth. I have tried manual, and auto start, but none work.
  Does anyone has run into this before, if so what was the fixe? Do I need to reinstall in the ACS software?
  Thanks,
  Jean Paul

  Easiest way to proceed would be to take a backup of the ACS, reinstall ACS and reload the backup. If not check the event viewer to see if there is any error message generated when starting the services

• Services, shell scripts and errors

  Unix question here:
  I am playing around with the new services feature of SL. Great stuff. Generally I am writing little one line scripts to do minor operations (like touch, for example). However, when there is an error in the script, the service craps out with an error dialog. I'd like to ignore the error & continue on. I've tried redirecting stderr to /dev/null, but it doesn't seem to work. Here is an example of a script that will fail the second time it is run over a set of files:
  for i in *; do xattr -d com.apple.quarantine "$i"; done
  Does anyone know of a way to get the service system to ignore any errors that the script may encounter?

  the standard unix way works for me. I'm not sure what problems you guys are having.
  <pre style="
  font-family: Monaco, 'Courier New', Courier, monospace;
  font-size: 10px;
  margin: 0px;
  padding: 5px;
  border: 1px solid #000000;
  width: 720px;
  color: #000000;
  background-color: #ADD8E6;
  overflow: auto;"
  title="this text can be pasted into the Script Editor">
  for f in "$@"
  do
  xattr -d com.apple.quarantine "$f" >/dev/null 2>&1 &
  done</pre>

• ACS Configuration Web Services: query problem

  I don't know if this is the correct place to ask, I couldn't find a specific ACS category.
  I am trying to do a query, according to chapter 4 in the ACS 5.3 Secure Access Control System 5.3
  My URL is:
  https://myurl/Rest/Identity/IdentityGroup/op/query
  doing a PUT request
  have a header of Content-Type: application/xml
  and my payload is:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns2:query xmlns:ns2="query.rest.mgmt.acs.nm.cisco.com">
      <criteria xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:SimpleFilter">
          <simpleFilter>
              <propertyName>identityGroup</propertyName>
              <operation>EQUALS</operation>
              <value>AllGroups:Migrated_Group:NetworkEngineer</value>
          </simpleFilter>
      </criteria>
      <numberofItemsInPage>100</numberofItemsInPage>
      <startPageNumber>1</startPageNumber>
  </ns2:query>
  I get back:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:restResult xmlns:ns2="common.rest.mgmt.acs.nm.cisco.com"><errorCode>61000</errorCode><httpCode>400</httpCode><moreErrInfo>XML Parsing Error:  Unable to create an instance of com.cisco.nm.acs.mgmt.rest.query.AbstractFilter. </moreErrInfo><operationType>NOT_AVAILABLE</operationType><resourceType>NOT_AVAILABLE</resourceType><status>BAD_REQUEST</status></ns2:restResult>
  and a 400 Bad Request.
  Can you tell me what I am doing wrong?
  All I want to do is get a list of users who belong to that group?
  Jerry

  I learned that a simple filter does not need the ... bracketiing, so this would work:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:SimpleFilter">
              identityGroup
              EQUALS
              AllGroups:Migrated_Group:NetworkEngineer
      100
      1
  - See more at: https://supportforums.cisco.com/message/3863518#sthash.PpJTEbyv.dpuf

• ACS Shell Cmds stopped working

  I have a group in ACS that has limited level 15 access to NDGs. Under Unmatch Commands I have "configure", with "permit terminal" under unmatched arugs. This has been working fine for months.
  A week ago,this command stopped working. I've tried removing and re adding the command but no luck.
  Any ideas??
  This is ACS 3.3(4) on Windows platform.

  What do does the fail attempts log say? You may also want to run "debug aaa author" and "debug tacacs author" and see what is sent and returned from ACS.

• Shell Cmd Auth Set allows to much

  I set up a Shell Command Authorization Set. I want to give someone access to enter "configure terminal" and any "mac-address-table static *" commands.
  Unmatched commands: Deny
  configure -> permit terminal
  mac-address-table -> permit static
  I built a group and assigned this shell command authorization set to it, level 15, etc.
  Now when I create a test user, I can enter "configure terminal" and any other command it seems. "router ospf 21", "interface vlan 101", etc. are all ALLOWED even though I haven't listed them in my command authorization set.
  Any idea what I'm missing? Thank you for any responses.
  ---John Holmes...

  Yes, it is absolutely possible. Like this:
  user = test {
  member = limited
  login = des xxxxxxx
  name = "ccie security"
  group = limited {
  default service = deny
  cmd = show {
  permit "arp .*"
  permit "cam .*"
  deny .*
  not sure how cisco does it in ACS but in freeware TACACS+, that's how I do it.

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• Shell cmd to take selected text as stdin

  I'm trying to find a utility that I can use on a shell command line to
  take selected text in any CDE/Solaris as stdin and just copy to stdout. What API can I use if I write this in java?
  Any easier way to pipe selected window text into a program (e.g. lp)?
  There used to be a get_selection command in Sun4, but it doesn't work in Sun5.
  -willy
  get_selection | lp

  Ok, let me try this again.
  I have a CDE windowing system running. On one of the windows, I simply select
  text. It could be a shell window, a textedit window or whatever.
  The old sun4 get_selection solution did not require pasting into the clipboard.
  If I use cat in the way the responder suggests, then I need to copy and paste into the shell window as input to cat filling up the shell window unnecessarily. The window buffer may be limited which could cause overflow of desired lines.
  Simply by selecting the text (which is now highlighted), get_selection would use that text as it's stdin so I can pipe it to any other program such as lp or save it in a file, e.g. get_selection > file.txt or get_selection | lp.
  Having to juggle a temporary file is extra steps.
  This is so basic, I am surprised it is missing from the current Sun offerings.
  Also I tried to find the best Forum for user interface questions and to my surprise, there were none I could find. This forum was my best guess. Any other forum suggestions for this kind of question.
  I didn't have the source for get_selection and it doesn't work in solaris 7.
  I also searched for the API to access the selected text (the same text that 'copy' operates on), but couldn't locate it for use in my own program.
  thanks for the responses so far.

• Denying sub-commands

  Background : I am running SRA4 image on my 7613 router. The router crashes when i give the command "no interface tunnelx"
  Soultion Required :
  I need to deny a specific command on my router from the config mode : "no interface Tunnel xyz". How can I acheive this?. The user should have privilege to execute "no interface vlan" , "no interface G1/0.1" etc.. I tried doing this but, ACS 4.0 is not looking for the sub-command, for example if i deny no interface tunnel in Shell command set, ACS looks for only two keywords, in this case no and interface....HELP REQUESTED..

  Hi,
  One thing that I would like to point, looking at the screen shot is that, the commands are case sensitive and they needs to be defined the exactly the way they are available.
  But that does not mean that while executing those commands you need to type them as case sensitive. During execution of the command, you can execute then normally.
  Taking as example, the doc that you provided, as you can see that you typed command,
  no int tu131
  and in ACS logs you got following,
  service=shell cmd=no interface Tunnel 131
  which means that you need to create you shell command authorization as,
  no------deny interface Tunnel
  rather then,
  no------deny interface tunnel
  "no------deny interface Tunnel" works in most of the cases, we need not specify the complete syntax. But if its not working, and you can go to more granularity.
  About your question, from the attached screen shot, you have following option checked,
  "Unmatched Commands : (*) Permit"
  This means, where ever you apply this shell command set. *All* the commands will be *allowed*, except from those that you deny.
  And it seems that you are being denied both tunnel and interface on the router, the only reason that I can think of this, the shell command authorization set that you have defined is only valid till,
  no-----deny interface
  "tunnel" is not correct, it should be "Tunnel"
  or to be more precise,
  no-----deny interface Tunnel [0-9][0-9][0-9]
  considering that you can create 999 tunnels, so above wild card will cover 0-999 tunnels.
  Let me know if this helps.
  Regards,
  Prem

• Legacy Profile on ACS Unix migrate to ACS 4.2 windows using TACACS+ av-pair

  Hello
  I'm migrating on ACS Unix 2.x ver to ACS 4.2 windows
  we only use TACACS+ protocol
  ACS Unix managed the profile   such as
  group LANadmins{
  service=shell {
  cmd=interface{
  permit "Ethernet *"
  deny "Serial *"
  cmd=aaa{
  deny ".*"
  cmd=tacacs-server{
  deny ".*"
  default cmd=permit
  those things. 
  So, I' guessing That above syntex is similar to TACACS+ av-pairs
  and I found TACACS+ av-pairs list. but I couldn't find out examples .
  those are only shown the List   and no examples.
  Does anybody help me ?
  Thanks

  I've been researching the differences between 4.2 and 5.4. There is a fundemental difference in the two. In my research, I have not found anything that Cisco indicates that log files can be imported. Because ACS 5.4 has it's own robust logging and database viewing tools, I'm leaning towards no. But I cannot give a definitive answer on this, sorry. Just know that I've read for several hours, and have not seen anything that talks about the importation of logging files. You can import users, mac addresses, etc. This may be something someone knows and will post eventually; probably need to call "The Cisco" and get a quicker answer.

• Aaa authorization bypass

  Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.

  I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.
  ============================================
  (PIX 7.x configuration)
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host x.x.x.x
  key xxxxx
  server-port xxxx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+ LOCAL
  ========================================
  (TACACS+ configuration)
  group = FULLPRIV {
  default service = permit
  service = shell {
  cmd=enable {
  permit .*
  enable = ldap

• J2EE does not start anymore : shell service error

  Our J2EE 640 SP16 doesn't come up anymore.
  Into the std.dispatcher.out we see this :
  "Service security started. (5 ms).
  service shell ================= ERROR =================
  Cannot start service telnet; it has hard reference to service shell which is not started.
  Service jmx started. (765 ms).
  Timed out services:
  Service p4 > service p4 start method invoked.
  Service tc.monitoring.logviewer > hard reference to service p4.
  Service adminadapter > hard reference to service
  The all the futher services are not started.
  Into teh std.server.out we see al lot of services in timeout.
  At the end both the Dispatcher o the serve doesn come up.
  What's the reason ?
  regards

  Hello Mauro,
  Check /usr/sap/<SID>/<InstanceID>/j2ee/cluster/dispatcher/log/defaultTraces.<ID>.trc and /usr/sap/<SID>/<InstanceID>/j2ee/cluster/server0/log/defaultTraces.<ID>.trc
  Best Regards
  Vyara