ACS 5.5 Command Set Arguments

Ran into a small problem with ACS 5.5, when assigning Permit commands in the Command Sets I wanted to be able to Permit the "show" command with all the commands within that group being permitted. 
In ACS 4, I was able to check a small box labeled "Permit Unmatched Args" and all of the "show" commands were permitted.
Reading the guide for ACS 5 it says it uses Unix expressions for the Arguments, which I know a few, but I do not know what the "permit all" is.
Thanks for any help.

Ben,
If you leave the arguments blank it should have the effect you want.
cheers
Rich

Similar Messages

  • ACS 5.3 Shell Command Set

    Hi all,
    Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets no able to deny. Example like below:
    i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
    the command i issue at below:
    deny enable secret -> working
    deny no enable secret  -> no working
    Anyone got idea to make the no working argument become working?

    Hi there,
    I just did a test in my ACS using your requirements and it worked fine, check below my configuration it may help you:
    I am using the following AAA commands:
    Switch(config)#do sh run | i aaa
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa session-id common
    Switch(config)#
    Rate if it helps!

  • Command Sets not working on ACS 5.1

    I'm running ACS 5-1-0-44-3.
    I have everything running properly on ACS 5.1.  I'd like to implement command sets for selected users and groups.  Under Access Policies -> Device Admin-> Authorization I have Command Sets selected.  The cisco provided is DenyAllCommands.  I have this command set running on all groups and every groups is still able to issue any command they wish.  I've also created a "show_only" command set that I've issued one group and they are still able to do conf t or any other command.
    Am I missing something?
    Do you need to reference the command set name under the shell profiles?
    Its my understanding that all you have to do is reference it in "Authorization" in the rules under Device Admin.
    I can understand a custom command set not working because of user error but DenyAllCommands should work.
    Anyone have any ideas?
    I have already re-patched the ACS
    Stopped and started services.
    And it seems like Command Sets is the only not referenced in the logs

    I do it a lot 
    could you paste screnshot of your command set?
    I've recently met another issue,
    with my command set definition as below (as you can see its very simple):
    almost every show is blocked (as suspected) but not "show run" (which is strange for me)

  • Burrito - can't set 'command line arguments' (mobile)

    Hi all,
    The option to set command line arguments in the "Run/Debug Settings" - "Launch Configurations" dialog disappears when a new "Flex Mobile AIR Project" is created.
    I am developing APKs that are launched via Intents from other Android apps; setting arguments for testing in the IDE would improve the workflow that now requires me to deploy to the device for testing. Is there a workaround for this?
    Thanks,

    Put the command into a file with execute permissions, including whatever command-line arguments you want. For instance, the file might contain the following:
    #! /bin/bash
    xpdf -g 1200x900 -z width -cont "$1"
    In Firefox preferences, under "Applications," locate the appropriate Content Type and in the Action menu, select "Use other..." and then locate the executable file you just created and select it.
    In UNIX-type operating systems at least, available options to the command can be found using the "man" command (e.g. "man xpdf" for the example above).

  • Setting Command Line Arguments for my Class

    HI,
    How do I set the command line arguments for my debug class. For example , I would like my user to type :
    java Debug -LEVEL1
    What should I do to implement this behaviour.
    Thanks in advance...

         public static void main (String[] args){
              if(args.length > 0){
                   int j = 0;
                   BMsearch search = new BMsearch();
                   try{
                        while (j < args.length){
                             if(args[j].equalsIgnoreCase(ONE_PATERN)){
                                  search.addPaternForSearch(args[j+1]);
                                  j = j+2;
                             else if (args[j].equalsIgnoreCase(PATERNLIST)){
                                  j++;
                                  while( ! (args[j].startsWith("-")) ){
                                       search.addPaternForSearch(args[j]);
                                       j++;
                                  }//end while
                             else if (args[j].equalsIgnoreCase(PATERNFILE)){
                                  j++;
                                  search.readPaternFile(args[j]);
                                  j++;
                             else if(args[j].equalsIgnoreCase(MATCH_H)){
                                  search.heuristic = MATCH_HEURISTIC;
                                  j++;
                             else if(args[j].equalsIgnoreCase(MATCH_H2)){
                                  search.heuristic = MATCH_HEURISTIC_TWO;
                                  j++;
                             else if(args[j].equalsIgnoreCase(OCC_H)){
                                  search.heuristic = OCC_HEURISTIC;
                                  j++;
                             else if(args[j].equalsIgnoreCase(COMB_H)){
                                  search.heuristic = COMBINED_HEURISTIC;
                                  j++;
                             else if(args[j].equalsIgnoreCase(JAVA_S)){
                                  search.heuristic = JAVA_NATIVE;
                                  j++;
                             else if(args[j].equalsIgnoreCase(TEXTFILE)){
                                  j++;
                                  search.readFileIn(args[j]);
                                  j++;
                             else if(args[j].equalsIgnoreCase(TEXTURL)){
                                  j++;
                                  search.readURLFileIn(args[j]);
                                  j++;
                             else if(args[j].equalsIgnoreCase(STOPatFIRST)){
                                  search.searchall = false;
                                  j++;
                             else if(args[j].equalsIgnoreCase(STOPatLAST)){
                                  search.searchall = true;
                                  j++;
                             else if(args[j].equalsIgnoreCase(VERBOSE)){
                                  search.verbose = true;
                                  j++;
                             else if(args[j].equalsIgnoreCase("-h") || args[j].equalsIgnoreCase("-help")){
                                  printHelp();
                                  Start = false;
                                  break;
                             else{
                                  System.out.println(" Error while parsing Parameter. ");
                                  System.out.println(" type java BMsearch -help for all Options");
                                  Start = false;
                                  break;
                        }// end outer while
                   catch(Exception e){
                        System.out.println(" Error while parsing Parameter. ");
                        System.out.println(" type java BMsearch -help for all Options");
                        Start = false;
                        j = args.length;
                   if(Start){
                        if(search.verbose)System.out.println(" Parameter parsed, beginning with search ...");
                             search.starttimeTotal = System.currentTimeMillis();
                        search.search();
                        search.stoptimeTotal = System.currentTimeMillis();
                        System.out.println(" Whole search took:  " + (search.stoptimeTotal - search.starttimeTotal) + " milliseconds.(Brutto) ");
              else{
                   System.out.println(" Error while parsing Parameter. ");
                   System.out.println(" type java BMsearch -help for all Options");
         }//end MAINThis is takem from one of my command line classe (a Boyer Moore Pattern-Matching application from an exercise). I don't know if this is the best way, but thats what I have done there for passing some arguments, where the order of them isn't pre-given (you can pass the params in the order you want).
    The CAPITAL vars are pre-defined final Strings holding the param-names, e.g.
    public static final String ONE_PATERN = "-p";
    public static final String PATERNLIST = "-plist";
    public static final String PATERNFILE = "-pfile";Another trick sometimes used in Linux/Unix, if you have only false/true combinations, are numbers from pow 2 (2,4,8,16). In C they are used because of the binary representation, but it has some benefits. E.g. a value of 2 (0010) and another true set on 4 (0100) results binary in 6 (0110), so you can mix parameters in only one value, and with a byte - array you could check, if the flag for a given param is set. But this way is a little tricky for the end-user.

  • Shell profile without a Command Set in ACS 5.1 - TACACS

    Hi all,
    I have created a shell profile with a default Privilege level of 15, I am able to successfully call this via an Access Service Rule. The issue I have however is that depite having the # symbol after I log in, the switch will only allow me to perform priv 15 level commands if I also bind an 'Allow All' command set to the results in the access service rule.
    Is this how it should work or should the shell profile alone with the priv 15 setting be enough? Am I missing something?
    The reason I ask is that in ACS 4.2 I would just set the tick Shell (exec) and set the Priv level to 15 in the appropriate group and would be good.
    Thanks in advance
    Rhodri

    FYI
    The issue here was the use of the 'aaa authorization commands' command.
    If I don't use these commands, then I only need the shell profile as no command authorization takes place post authentication.
    If using these commands, then you must also bind a command set to the results of the rule as the NAD will query the AAA server for each command.
    If I want to permit all commands for a certain priv level, I use a 'permit all commands' command set which will then allow all commands within a specific priv level.
    Here's an example NAD config:
    aaa group server tacacs+
    server 10.10.10.10
    aaa authentication login default local
    aaa authentication login Primary group local
    aaa authentication login Secondary local
    aaa authorization config-commands
    aaa authorization exec default group if-authenticated
    aaa authorization commands 0 default group if-authenticated
    aaa authorization commands 1 default group if-authenticated
    aaa authorization commands 3 default group if-authenticated
    aaa authorization commands 15 default group if-authenticated
    aaa accounting exec default start-stop group
    aaa accounting commands 0 default start-stop group
    aaa accounting commands 1 default start-stop group
    aaa accounting commands 3 default start-stop group
    aaa accounting commands 15 default start-stop group
    line con 0
    login authentication Secondary
    line vty 0 4
    login authentication Primary
    Hope this helps someone

  • ACS matching too much on shell command sets

    I have a problem with ACS, I only want to give users access to gig1/0/1 but ACS matches 1/0/10, 1/0/11, 1/0/12...1/0/19 in my command set (the statement is set to permit GigabitEthernet 1/0/1). How do I tell it to match only 1/0/1 and nothing else?
    Thanks!!

    interface--------permit GigabitEthernet [1] [0] [1]
    Or
    interface--------permit GigabitEthernet [1][0][1]
    Regards,
    Prem
    Please rate if it helps!

  • Cannot get restricted command set to work with ACS 5.5 and HP Procurve switches - Can anyone assist?

    I have AAA authentication working with no restrictions and I have TACACS working with command restrictions for my Cisco gear.

    Hi... I have created a shell profile in Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles which has a assigned privilege level of 15 and a max privilege level of 15.  Further to this I have added a new commands set via Policy Elements -> Authorization and Permissions -> Device Administration -> commands sets. 
    I have referenced the shell profile via Access Policies -> Access Services -> Default Device Admin -> Authorization. And this part of it seems to work fine, but the command set I am using to restrict the commands allowed is not being used...do I need to reference the command set somewhere else within the ACS platform as well?  The configuration I have added on to the Network Device is as follows: -
    aaa new-model
    aaa authentication login default group tacacs+
    aaa authentication enable default group tacacs+
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ none
    Can you advise what it is I am missing?

  • ACS 5.3 - comman sets not working

    We installed ACS 5.3 on Vmware -cent os ,  and a cisco router is configured to authenticate to this TACACS+ server , 
    i am able to login to router using the specified TACACS username ./ password and able to see the hits also as below in the policy ,
    But the Command sets are not working as definded, pls help me to find the problem..
    Filter:
    StatusNameIdentity GroupNDG:LocationNDG:Device TypeTime And DateCommand SetsShell ProfileHit Counts
    Match if:
    EqualsNot Equals
    EnabledDisabledMonitor Only
    Status
    Name
    Conditions
    Results
    Hit Count
    Identity Group
    NDG:Location
    NDG:Device Type
    Time And Date
    Command Sets
    Shell Profile
    1
    RO ACCESS
    in All Groups:READ ONLY ACCESS
    in All Locations
    in All Device Types
    -ANY-
    READ ONLY POLICY
    RO SHELL
    10
    2
    RESTRICTED ACCESS
    in All Groups:RESTRICTED ACCESS
    in All Locations
    in All Device Types
    -ANY-
    RESTRICTED USER POLICY
    Permit Access
    1
    3
    SUPER ADMIN ACCESS
    in All Groups:FULL ACCESS
    in All Locations
    in All Device Types
    -ANY-
    PERMIT ALL POLICY
    Permit Access
    0

    Logs for such a RO-read only user login
    AAA Protocol > TACACS+ Authentication Details
    Date :
    August 27, 2012
    Generated on August 28, 2012 7:13:37 AM UTC
    Authentication Details
    Status:
    Passed
    Failure Reason:
    Logged At:
    Aug 27, 2012 12:18 PM
    ACS Time:
    Aug 27, 2012 12:18 PM
    ACS Instance:
    acsserver
    Authentication Method:
    PAP_ASCII
    Authentication Type:
    ASCII
    Privilege Level:
    15
    User
    Username:
    muthu
    Remote Address:
    172.20.1.25
    Network Device
    Network Device:
    Default Network Device
    Network Device IP Address:
    192.168.251.26
    Network Device Groups:
    Device Type:All Device Types, Location:All Locations
    Access Policy
    Access Service:
    TAFE POLICY1
    Identity Store:
    Internal Users
    Selected Shell Profile:
    RO SHELL
    Active Directory Domain:
    Identity Group:
    All Groups:READ ONLY ACCESS
    Access Service Selection Matched Rule :
    Rule-2
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Internal Users, Internal Users
    Query Identity Stores:
    Selected Query Identity Stores:
    Group Mapping Policy Matched Rule:
    Default
    Authorization Policy Matched Rule:
    RO ACCESS
    Authorization Exception Policy Matched Rule:
    Other
    ACS Session ID:
    acsserver/132692348/212
    Service:
    Login
    AV Pairs:
    Response Time:
    4
    Other Attributes:
    ACSVersion=acs-5.3.0.40-B.839
    ConfigVersionId=97
    Protocol=Tacacs
    Type=Authentication
    Action=Login
    Port=tty194
    Action=Login
    Port=tty194
    UserIdentityGroup=IdentityGroup:All Groups:READ ONLY ACCESS
    Authentication Result
    Type=Authentication
    Authen-Reply-Status=Pass
    Steps
    Get TACACS+ default network device setting.
    Received TACACS+ Authentication START Request
    Evaluating Service Selection Policy
    Matched rule
    Selected Access Service - TAFE POLICY1
    Returned TACACS+ Authentication Reply
    Get TACACS+ default network device setting.
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Evaluating Identity Policy
    Matched Default Rule
    Selected Identity Store - Internal Users
    Looking up User in Internal Users IDStore - muthu
    Found User in Internal Users IDStore
    TACACS+ will use the password prompt from global TACACS+ configuration.
    Returned TACACS+ Authentication Reply
    Get TACACS+ default network device setting.
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Evaluating Identity Policy
    Matched Default Rule
    Selected Identity Store - Internal Users
    Looking up User in Internal Users IDStore - muthu
    Found User in Internal Users IDStore
    Authentication Passed
    Evaluating Group Mapping Policy
    Matched Default Rule
    Evaluating Exception Authorization Policy
    No rule was matched
    Evaluating Authorization Policy
    Matched rule
    Returned TACACS+ Authentication Reply
    Additional Details
    Diagnostics ACS Configuration Changes

  • How to run command line argument programe

    Hi guys, I am doing pass command line argument programe in java but I don't know how to run this programe. Path for this programe in my my computer is C:\Users\Desktop\Mainjava\mycode\CommandProgjava*
    {code/}
    public class CommandProg
    public static void main(String[] args)
    System.out.println("d");
    for (int i = 0; i < args.length; i++)
    System.out.println(args);
    {code/}
    Where i need to go and what command i need to give so i can execute this programe(I am using window vista). I only know i have to give
    this command some where CommandProg arg1 arg2 arg3 arg4. Output should be
    Output:
    arg1
    arg2
    arg3
    arg4
    Please help me, Thanks in advance.
    Edited by: JayVirk on Dec 30, 2007 11:33 AM

    Jay,
    Your question isn't very clear, hence Joerg's well meaning but irrelevant advise.
    Do you mean:
    I've written a simple program in java which echos
    it's command-line arguments to back to the console.
    Here's my code:
    package forums;
    public class ArgsEchoer
      public static void main(String[] args) {
        for (String arg : args) {
          System.out.println(arg);
    But can't figure out how to compile and run the program.
    I'm using winblows shista, and it's cr@p.
    Please help me, Thanks in advance.So... where are you at? Have you installed the JDK (java development kit)? Which version? Is your path set? Is your classpath set?
    Start here: http://java.sun.com/developer/onlineTraining/new2java/

  • ERROR: -1639 INVALID COMMAND LINE ARGUMENT

    Trying to install software for Shuffle that Santa brought and get this error messsage...
    "Error: -1639 invalid command line argument. Consult the windows Installer SDK for detailed command line help."
    Install stops at this point.
    SOMEONE HELP... My kid is chomping at the bit !
    Thanks.

    Ok I'll do some more searching but I found something in the community forums.
    APPSearch can not return this data into a property, so instead, for some unspeakable reason, returns a value of Null, follwed by another Null. This means that the property is created, and populated with two null characters. Bad news if the property also happens to be a PUBLIC property. All public properties are passed as part of the command line sent in a stream to the background installer process by the Execute Action. Since this stream now contains a double null value in a property, the stream is prematurely terminated. This creates an invalid command line, and thus the 1639 error.
    This user solved it by using the MSi Cleanup installer util.
    EDIT: A little more info...
    This problem is almost impossible to detect through the MSI log files since our friends at Microsoft chose to limit the length of any line in the log. It is impossible to get a dump of the full command line that generates this error.
    EDIT2:Note that error 1639 only ocurrs when the install package is run from removable media. When the package is run from local storage, the behavior is far more obtuse. The background install process, failing to receive a complete command line, is forced to run as if there had been no UI session, which in turn causes the APPSearch action to run again as if the install was running in silent mode. This causes re-evaluation of all properties a second time, destroying the feature selections made in the UI session, and also forcing the install to run under user credentials instead of elevated, even though AdminUser, ALLUSERS and Privleged properties are set. This is a very serious error that causes total failure of the installation.

  • Documenting command line arguments

    I'm very new to javadoc, and I'm trying to put together a set of guidelines for our developers to follow. One thing I came accross was command line arguments. If a main function is expecting command line arguments, how would this be documented, should @param be used? I didn't see anything about this in the guidelines sun has posted. Any help is greatly appreciated.

    This is my own personal opinion, so don't treat it as a "fact", but I don't think Javadoc is best suited for specifying command line arguments. You could do the following:
    *  Description of main() here...
    * @param args First parameter = xxx, Second parameter = yyy;
    public static void main(String[] args)
    }In this way you can specify all command-line parameters that are required in order to make the appliction run.
    BUT...
    Javadoc is meant more to be a programmatic guide to how to allow Java classes to interoperate. Java classes (mostly) will not care at all what the command-line parameters to the main invocation are. That is information that is only really needed to be known by the application executor at runtime.
    Therefore, for all my apps, I do the following to comment what types of parameters should be passed to the invocation of the application:
    * My App comments...
    * @param args Run application without any parameters to see list of all necessary command-line parameters.
    public static void main(String[] args)
       if (args.length < 1)
          System.out.println("This application allows the following parameters:");
          System.out.println("   Param#1 = xxx, <description>");
          System.out.println("   Param#2 = yyy, <description>");
          System.exit(0);
    }In this way, you do not clutter up the Javadoc APIs (used for classwise interaction) with command-line parameters, but the command-line parameters are still specified by "documentation" (running the application without any parameters).
    If parameters are optional, instead of mandatory, you could do something similar...
    * Documentation...
    * @param args Run -h as first flag for list of all optional parameters.
    public static void main(String[] args)
       if ((args.length > 0) && (args[0].equals("-h"))
          // Print out all possible parameters.
    }Anyway, this system has held me in good stead for the last couple of years.

  • How to hide the command line arguments from solaris process

    Hi All,
    When I execute a JAR application from a java file using the Runtime.getRuntime, the command line arguments (user ID and Password details) which I passed for executing the application displayed on Solaris process (ps -ef).
    Could anybody please help me, how can I hide either the process or the command line arguments from the Solaris process?
    I cannot pass any asterix or any special character in place of password, because the executing application doesn't have any functionality to retreive the password which send as asterix characters.
    Please help me
    SumodeV

    Thanks for all the response.
    I have created a design and implement the functionality which executes the JAR application in Solaris environment without showing any details in the process details.
    I have used the Java Reflection method, which invokes the JAR application. I am sharing the details here for all those who looking for it.
    1, Inside the Customer application [Jar File is running for it], collect the necessary session details [Using System.get property method]
    2, Create an independent Java file, which should be used to invoke the JAR application
    3, Create the ProcessBuilder object and use a command - execute the Java file [a wrapper code] using normal Java command
    4, Pass the necessary session details to the ProcessBuilder using the environment() function.
    5. Collect the environment values in the independent Java file (Which was invoked by ProcessBuilder) and set details for its environment using System.setProperty.
    6, Use reflection technique to invoke the JAR plugin [which you want to run]. You can use the standard Java functionality to read the MANIFEST file of JAR and load the main class using URLClassLoader.
    7, Invoke the main method of the JAR file, which run the JAR application in Solaris window
    This solution will make sure that the process cannot display any session details in the Solaris Environment.
    Note: Use String[] array while create the command. Otherwise the JAR application cannot pop-up.
    Regards
    Sumode

  • Labview is using stale command line arguments

    I've created a vi to test passing command line arguments to Labview. I've attached it below. All it does is display the 1st and 2nd arguments. Also in VI Properties in the Execution category, it's set to 'Run when opened'.
    In the command prompt I'm entering: "C:\Program Files (x86)\National Instruments\LabVIEW 2014\LabVIEW.exe" "C:\Users\command_line_arguments.vi" -- a b
    This works - the vi launches, and displays a and b. However, if I run it again from the command prompt with  -- a c  as the arguments, it still displays a b. Only if I exit the vi, and quit LabVIEW (so that LabVIEW.exe stops running) then launch it again from the command line does it display a c.
    So for some reason Application:Command Line Arguments is using stale data, and ignoring the new arguments. Is this a bug, or am I using it in the wrong way? Thanks.
    Attachments:
    command_line_arguments.vi ‏8 KB

    lv_manchester wrote:
    So for some reason Application:Command Line Arguments is using stale data, and ignoring the new arguments. Is this a bug, or am I using it in the wrong way? Thanks.
    That's normal behavior, the command line arguments are always the ones with which LabVIEW was first started. I think most single-instance applications work this way, although it's not something I've ever tested. Attempting to run LabVIEW again will just bring the already-running application to the front.

  • Numerical Command-Line Arguments in Java

    Hi I am new to Java and am a little confused about setting up command-line arguments. From what I have read, the arguments are put in the args array of the main method.
    So accessing or using them would use args[n] right?
    But the args is a string array (String[] args). Therefore what would I need to do if I wanted to treat the arguments as numbers and not strings? E.g. I wanted to apply mathematical functions to the arguments.
    I believe to do this I would need a Integer.parseInt( string ).
    This is what I have tried:
    public static void main(String[] args) {
              int firstArg = Integer.parseInt(args[1]);
              System.out.println(firstArg);
    where argument 1 is "23".
    This compiles but I get a Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 1
         at the "int firstArg = Integer.parseInt(args[1]);" line.
    Can someone tell me what I am doing wrong and a small over view on command line arguments would also be welcome :D.
    Thanks

    Oh yeah.. I need to tattoo args[0] to my forehead. Thanks its now working.
    Edited by: Sunny_B on Apr 20, 2008 1:21 PM

Maybe you are looking for

  • Fb60 or f-43

    Hi Sap Experts, When posting a vendor invoice (via FB60 or F-43) it possible to change the vendor reconciliation account. In customising I configured alternative reconciliation accounts. Also I need to make the reconciliation account ready for input.

  • My 6500 Slide is showing all numbers as "Private N...

    Hi, Although I have updated Software, My 6500 is showing all numbers as private number. Can anyone help me on this stuff ? Regards, Amjad

  • Have a compaq nc6320 laptop the system clock is set to 6/3/9999

    why can't I seem to change the clock on this laptop couldnt find in bois where to set bois clock and tgried to change in windows 7 and it will not change

  • ? new subscription needed

    Please can you tell me if I need to re subscribe to get the new June 2014 Photoshop? My subscription was a Christmas present from my family and when I tried to get the new edition it only offered me a 30 day trial, I thought that upgrades were covere

  • I have no volume at all on my la\ptop

    no volume on my laptop This question was solved. View Solution.