ACS 5.3 Shell Command Set

Hi all,
Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets no able to deny. Example like below:
i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
the command i issue at below:
deny enable secret -> working
deny no enable secret  -> no working
Anyone got idea to make the no working argument become working?

Hi there,
I just did a test in my ACS using your requirements and it worked fine, check below my configuration it may help you:
I am using the following AAA commands:
Switch(config)#do sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
Switch(config)#
Rate if it helps!

Similar Messages

  • ACS matching too much on shell command sets

    I have a problem with ACS, I only want to give users access to gig1/0/1 but ACS matches 1/0/10, 1/0/11, 1/0/12...1/0/19 in my command set (the statement is set to permit GigabitEthernet 1/0/1). How do I tell it to match only 1/0/1 and nothing else?
    Thanks!!

    interface--------permit GigabitEthernet [1] [0] [1]
    Or
    interface--------permit GigabitEthernet [1][0][1]
    Regards,
    Prem
    Please rate if it helps!

  • Acs 5.2 shell authorization sets

    Can someone point me to a guide on how to configure shell auth sets in 5.2
    I have done it in 4.2 but can't seem to get it working in new version
    Requirement is to just allow shut / no shut command but as soon as I give access to config terminal the user gets all access
    Narayan
    Sent from Cisco Technical Support iPhone App

    Hi,
    Please do the following:
    Policy elements > Command Sets > Create
    Give a name
    Enter the grant condition , commands and arguments
    Click on ADD
    Click on Submit
    Click on Access-policy > Device Default Access > Authorization > Customize
    Customized results > Available:Select Command set > Move to selected
    ok.
    Select the rule to apply TACACS authorization on the default device admin authorization page.
    In the results of the shell profile Command set . Click on Select and select the command set you created.
    Click on Ok.
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • ACS 4.1- shell command works under user but not group

    Hi,
    This question might actually belong under tacacs server but it's only happening with the ACE.  I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor.  If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin.  We're running ACS ver 4.1 and the ACE is A4(1.1)
    Thanks

    For the tacacs settings under the user settings make sure you select the radio button for "Use Group Level Setting" rather than just removing the av-pair.
    Thanks,
    Tarik

  • ACS shell command authorization help

    Hello,
    I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
    Thanks

    Two things could be wrong
    1) You don't have the following command on your AAA Client:
    aaa authorization config-commands
    2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards
    Farrukh

  • Wildcard mask in Shell Command Authorization Set?

    Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
    For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
    Thanks

    Sure. Just tested this on my ACS 3.2 server with the following config:
    AAA client:
    aaa new-model
    aaa authentication login default tacacs
    aaa authorization commands 1 default group tacacs
    ACS Shell Command Set:
    Unmatched Commands = Deny
    Command = show
    Permit unmatched args = no
    args = permit ip *
    This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
    Hope that helps.

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • ACS - Shell Command Authorization Sets

    Hi,
    I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
    Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
    permit port-security
    permit mac address-table'
    I've also ticked 'Permit unmatched args'
    At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
    Test Timed out for service: CSAdmin
    Test Timed out for service: CSAuth
    Test Timed out for service: CSDbSync
    Test Timed out for service: CSLog
    I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
    Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
    Thanks!!
    Steve

    Thanks for your reply!
    there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
    I am using ACS v 4.1.
    While I receive the service messages and also when they go away - I always have the authorisation problem.
    Thanks
    Steve

  • Shell profile without a Command Set in ACS 5.1 - TACACS

    Hi all,
    I have created a shell profile with a default Privilege level of 15, I am able to successfully call this via an Access Service Rule. The issue I have however is that depite having the # symbol after I log in, the switch will only allow me to perform priv 15 level commands if I also bind an 'Allow All' command set to the results in the access service rule.
    Is this how it should work or should the shell profile alone with the priv 15 setting be enough? Am I missing something?
    The reason I ask is that in ACS 4.2 I would just set the tick Shell (exec) and set the Priv level to 15 in the appropriate group and would be good.
    Thanks in advance
    Rhodri

    FYI
    The issue here was the use of the 'aaa authorization commands' command.
    If I don't use these commands, then I only need the shell profile as no command authorization takes place post authentication.
    If using these commands, then you must also bind a command set to the results of the rule as the NAD will query the AAA server for each command.
    If I want to permit all commands for a certain priv level, I use a 'permit all commands' command set which will then allow all commands within a specific priv level.
    Here's an example NAD config:
    aaa group server tacacs+
    server 10.10.10.10
    aaa authentication login default local
    aaa authentication login Primary group local
    aaa authentication login Secondary local
    aaa authorization config-commands
    aaa authorization exec default group if-authenticated
    aaa authorization commands 0 default group if-authenticated
    aaa authorization commands 1 default group if-authenticated
    aaa authorization commands 3 default group if-authenticated
    aaa authorization commands 15 default group if-authenticated
    aaa accounting exec default start-stop group
    aaa accounting commands 0 default start-stop group
    aaa accounting commands 1 default start-stop group
    aaa accounting commands 3 default start-stop group
    aaa accounting commands 15 default start-stop group
    line con 0
    login authentication Secondary
    line vty 0 4
    login authentication Primary
    Hope this helps someone

  • ACS Shell Command Authorization Set + restricted Access

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi  ,
    I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
    Thanks in Advance
    Regards
    Vineeth

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi Jatin ,
    first of all Thank you very much . It startted working after aaa authorization config-commands
    here I was trying to achive one  specfic  thing .
    I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
    But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
    Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
    Thanks and Regards
    Vineeth

  • ACS 4.0, only 1 Shell Command auth. set possible

    Hi all,
    I am wondering if this is a "hidden feature" of the evaluation software or a bug...
    I am currently running Cisco Acs server v.4.0 (evaluatie version) Win2k3 platform; with authentication, authorization and accouting.
    In a nutshell I have the following setup:
    - group1 uses: Shell Command Authorization Set1
    - group2 uses: Shell Command Authorization Set2
    Problem: Users in group2 are somehow authorized against the commands listed in Shell Auth. Comm. set1 instead of the configured Shell Auth. Comm. set2
    Is it possible that with the evaluation software only one Shell Command Authorization Set is allowed to be active? Does anyone know?
    Many thx
    Sander

    Problem resolved by renaming authorization sets and reloading ACS......
    thx Sander

  • Show config not working in ACS "Shell Command Auth set"

    To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)

    Hi,
    I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
    Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
    ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

  • AAA with CatOS and ACS (shell command autorization set)

    Hi,
    I have an ACS that authenticates and authorizes IOS devices.
    I use "shell command autorization set" to authorize some commands for some groups.
    Is it possible to do so with CatOS?
    For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?
    Regards,
    ROMS

    Console> (enable) set tacacs server [IP] [primary]
    set tacacs key [key]
    set tacacs attempts [number] (optional)
    set localuser user [user] password [password] privilege 15
    set authentication login local enable
    set authentication login tacacs enable [all | console | http | telnet] [primary]
    set authorization exec enable tacacs+ [deny | none] [console | telnet | both]
    set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]
    regards,
    ~JG

  • ACS Shell Command Authorizations Set

    I have Cisco ACS Server V4.0
    In the shell Command Authorization Set I configure a restrict Access.
    In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
    Why This?

    I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

  • Shell Command Authorization Sets ACS

    hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    but still all my user  can use all the commands
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R3
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login milista group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    multilink bundle-name authenticated
    username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
    archive
    log config
    hidekeys
    interface FastEthernet0/0
    ip address 192.168.20.1 255.255.255.0
    duplex auto
    speed auto
    interface Serial0/0
    no ip address
    shutdown
    clock rate 2000000
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface Serial0/1
    ip address 20.20.20.2 255.255.255.252
    clock rate 2000000
    interface Serial0/2
    no ip address
    shutdown
    clock rate 2000000
    interface Serial0/3
    no ip address
    shutdown
    clock rate 2000000
    router eigrp 1
    network 20.0.0.0
    network 192.168.20.0
    no auto-summary
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    tacacs-server host 192.168.20.2 key cisco
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    login authentication milista
    line aux 0
    line vty 0 4
    end
    i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
    heres my share profile
    name-------------admin jr
    Description---------for jr admin
    unmatched commands------- ()permit  (x)deny
    permint unmatched args()
    enable
    show -------------------------- permit version<cr>
    permit runnig-config<cr>
    then i add this profifle to group 2 and then i add my user to the group 2
    then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
    can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

Maybe you are looking for

  • I need help!  I have moved my music to my new computer and now...

    My music won't play. ITunes tells me that it can't find the music and opens a window to seach, when I take it to the music folder, it then plays the music. How can I do this for all of my music instead of one by one? Help, desperate and tired! Messag

  • Will speakers, charging docks, etc that are compatible with the iphone 3g

    also work with the touch 2g?

  • Screen layout for Customer group

    Is there any way we can define a screen layout for a particular customer group(having particular fields mandatory and remaining optional). Any help will be appreciated. Thanks, ALAM.

  • SCA from an EAR file

    Hello! I have a simple question about the sapmake utility. I have used to create an SCA from various archives and am familiar with its workings. What I want to know is that is it possible to create an SCA from an EAR file. I have created an SCA from

  • Levels of WBS

    Dear All, Till what levels we can create the WBS (I mean what is the maximum lowest level (count) we can create WBS and which systems supports). Both in Financial Structure and Work plan Structure. Thanks in advance.