ACS 5.3 Shell Command Set
Hi all,
Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets no able to deny. Example like below:
i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
the command i issue at below:
deny enable secret -> working
deny no enable secret -> no working
Anyone got idea to make the no working argument become working?
Hi there,
I just did a test in my ACS using your requirements and it worked fine, check below my configuration it may help you:
I am using the following AAA commands:
Switch(config)#do sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
Switch(config)#
Rate if it helps!
Similar Messages
-
ACS matching too much on shell command sets
I have a problem with ACS, I only want to give users access to gig1/0/1 but ACS matches 1/0/10, 1/0/11, 1/0/12...1/0/19 in my command set (the statement is set to permit GigabitEthernet 1/0/1). How do I tell it to match only 1/0/1 and nothing else?
Thanks!!interface--------permit GigabitEthernet [1] [0] [1]
Or
interface--------permit GigabitEthernet [1][0][1]
Regards,
Prem
Please rate if it helps! -
Acs 5.2 shell authorization sets
Can someone point me to a guide on how to configure shell auth sets in 5.2
I have done it in 4.2 but can't seem to get it working in new version
Requirement is to just allow shut / no shut command but as soon as I give access to config terminal the user gets all access
Narayan
Sent from Cisco Technical Support iPhone AppHi,
Please do the following:
Policy elements > Command Sets > Create
Give a name
Enter the grant condition , commands and arguments
Click on ADD
Click on Submit
Click on Access-policy > Device Default Access > Authorization > Customize
Customized results > Available:Select Command set > Move to selected
ok.
Select the rule to apply TACACS authorization on the default device admin authorization page.
In the results of the shell profile Command set . Click on Select and select the command set you created.
Click on Ok.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
ACS 4.1- shell command works under user but not group
Hi,
This question might actually belong under tacacs server but it's only happening with the ACE. I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor. If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin. We're running ACS ver 4.1 and the ACE is A4(1.1)
ThanksFor the tacacs settings under the user settings make sure you select the radio button for "Use Group Level Setting" rather than just removing the av-pair.
Thanks,
Tarik -
ACS shell command authorization help
Hello,
I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
ThanksTwo things could be wrong
1) You don't have the following command on your AAA Client:
aaa authorization config-commands
2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards
Farrukh -
Wildcard mask in Shell Command Authorization Set?
Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
ThanksSure. Just tested this on my ACS 3.2 server with the following config:
AAA client:
aaa new-model
aaa authentication login default tacacs
aaa authorization commands 1 default group tacacs
ACS Shell Command Set:
Unmatched Commands = Deny
Command = show
Permit unmatched args = no
args = permit ip *
This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
Hope that helps. -
Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets
Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
ACS - Shell Command Authorization Sets
Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
SteveThanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve -
Shell profile without a Command Set in ACS 5.1 - TACACS
Hi all,
I have created a shell profile with a default Privilege level of 15, I am able to successfully call this via an Access Service Rule. The issue I have however is that depite having the # symbol after I log in, the switch will only allow me to perform priv 15 level commands if I also bind an 'Allow All' command set to the results in the access service rule.
Is this how it should work or should the shell profile alone with the priv 15 setting be enough? Am I missing something?
The reason I ask is that in ACS 4.2 I would just set the tick Shell (exec) and set the Priv level to 15 in the appropriate group and would be good.
Thanks in advance
RhodriFYI
The issue here was the use of the 'aaa authorization commands' command.
If I don't use these commands, then I only need the shell profile as no command authorization takes place post authentication.
If using these commands, then you must also bind a command set to the results of the rule as the NAD will query the AAA server for each command.
If I want to permit all commands for a certain priv level, I use a 'permit all commands' command set which will then allow all commands within a specific priv level.
Here's an example NAD config:
aaa group server tacacs+
server 10.10.10.10
aaa authentication login default local
aaa authentication login Primary group local
aaa authentication login Secondary local
aaa authorization config-commands
aaa authorization exec default group if-authenticated
aaa authorization commands 0 default group if-authenticated
aaa authorization commands 1 default group if-authenticated
aaa authorization commands 3 default group if-authenticated
aaa authorization commands 15 default group if-authenticated
aaa accounting exec default start-stop group
aaa accounting commands 0 default start-stop group
aaa accounting commands 1 default start-stop group
aaa accounting commands 3 default start-stop group
aaa accounting commands 15 default start-stop group
line con 0
login authentication Secondary
line vty 0 4
login authentication Primary
Hope this helps someone -
ACS Shell Command Authorization Set + restricted Access
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi ,
I have tried to Create a restricted Access Shell Command Authorization Set on ACS as told on the Cisco Url
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
After I applied the same on a User Group I found the users on the group have complete access after typing the conf t on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and let me know any thing need to be done specially from My Side
Thanks in Advance
Regards
Vineeth/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Jatin ,
first of all Thank you very much . It startted working after aaa authorization config-commands
here I was trying to achive one specfic thing .
I want to stop the following commands on ACS “switchport trunk allowed vlan 103” . I only want allow “add” after “vlan” and block rest all arguments
But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
Thanks and Regards
Vineeth -
ACS 4.0, only 1 Shell Command auth. set possible
Hi all,
I am wondering if this is a "hidden feature" of the evaluation software or a bug...
I am currently running Cisco Acs server v.4.0 (evaluatie version) Win2k3 platform; with authentication, authorization and accouting.
In a nutshell I have the following setup:
- group1 uses: Shell Command Authorization Set1
- group2 uses: Shell Command Authorization Set2
Problem: Users in group2 are somehow authorized against the commands listed in Shell Auth. Comm. set1 instead of the configured Shell Auth. Comm. set2
Is it possible that with the evaluation software only one Shell Command Authorization Set is allowed to be active? Does anyone know?
Many thx
SanderProblem resolved by renaming authorization sets and reloading ACS......
thx Sander -
Show config not working in ACS "Shell Command Auth set"
To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)
Hi,
I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml -
AAA with CatOS and ACS (shell command autorization set)
Hi,
I have an ACS that authenticates and authorizes IOS devices.
I use "shell command autorization set" to authorize some commands for some groups.
Is it possible to do so with CatOS?
For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?
Regards,
ROMSConsole> (enable) set tacacs server [IP] [primary]
set tacacs key [key]
set tacacs attempts [number] (optional)
set localuser user [user] password [password] privilege 15
set authentication login local enable
set authentication login tacacs enable [all | console | http | telnet] [primary]
set authorization exec enable tacacs+ [deny | none] [console | telnet | both]
set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]
regards,
~JG -
ACS Shell Command Authorizations Set
I have Cisco ACS Server V4.0
In the shell Command Authorization Set I configure a restrict Access.
In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
Why This?I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.
-
Shell Command Authorization Sets ACS
hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi
Maybe you are looking for
-
I need help! I have moved my music to my new computer and now...
My music won't play. ITunes tells me that it can't find the music and opens a window to seach, when I take it to the music folder, it then plays the music. How can I do this for all of my music instead of one by one? Help, desperate and tired! Messag
-
Will speakers, charging docks, etc that are compatible with the iphone 3g
also work with the touch 2g?
-
Screen layout for Customer group
Is there any way we can define a screen layout for a particular customer group(having particular fields mandatory and remaining optional). Any help will be appreciated. Thanks, ALAM.
-
Hello! I have a simple question about the sapmake utility. I have used to create an SCA from various archives and am familiar with its workings. What I want to know is that is it possible to create an SCA from an EAR file. I have created an SCA from
-
Dear All, Till what levels we can create the WBS (I mean what is the maximum lowest level (count) we can create WBS and which systems supports). Both in Financial Structure and Work plan Structure. Thanks in advance.