ACS command authorization - deny CatOS "set" commands
Cisco Secure ACS 4.2
I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
How do I go about setting this group up to deny set-based commands for the CatOS devices?
Hi
CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
Hope that makes sense!
Similar Messages
-
Problem - acs command authorization and web access control
Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.
It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help ! -
Config commands authorization on ASA
Hi, is there a way to control the config commands with tacacs+ authorization ?
When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
In IOS there's the "aaa authorization config-commands", how to with ASA ?Please check this link that explains about command authorization on ASA.
these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1
aaa authorization command authserver
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
When logging to some of our routers, we get sometimes (not always!!!) a command authorization failure, sometimes the command works, sometimes the same command fails, also in the tacacs logs there is no trace of the attempt to log in on this router.
We need to check the debugs as that will let us know why the command failed.
debug tacacs
debug aaa authorization
What is the IOS ver running on the routers?
Regards,
~JG
Do rate helpful posts -
Cisco ACS command authorization sets
I need help on the following please.
1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
2. Does anyone know where I can read up on command authorizations sets for ACS ??
3. What is the debug command for CatOS to see cli output ?
Many thanks
RodThanks for your info. I have solved my problem -
1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
Problem resolved.
Many thanks. -
Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets
Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
Shell Command Authorization Sets ACS
hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
ACS - Shell Command Authorization Sets
Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
SteveThanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve -
ACS Shell Command Authorization Set + restricted Access
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi ,
I have tried to Create a restricted Access Shell Command Authorization Set on ACS as told on the Cisco Url
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
After I applied the same on a User Group I found the users on the group have complete access after typing the conf t on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and let me know any thing need to be done specially from My Side
Thanks in Advance
Regards
Vineeth/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Jatin ,
first of all Thank you very much . It startted working after aaa authorization config-commands
here I was trying to achive one specfic thing .
I want to stop the following commands on ACS “switchport trunk allowed vlan 103” . I only want allow “add” after “vlan” and block rest all arguments
But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
Thanks and Regards
Vineeth -
ACS Shell Command Authorizations Set
I have Cisco ACS Server V4.0
In the shell Command Authorization Set I configure a restrict Access.
In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
Why This?I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.
-
ACS 5.1 command authorization in config mode
Hello all,
I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
Before I've search this forum and found 2 posts:
https://supportforums.cisco.com/thread/2041611
https://supportforums.cisco.com/message/3057298
that suggest to have the AAA configured with:
aaa authorization config-commands
I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
Did I miss something? Do you have any suggestion for me?
Thank you!
Calincan you run a "debug aaa authorization" to see what happens?
-
ACS SE - Shell Command Authorization
Hi Sir,
I have deployed an ACS Solution Engine 4.1(1) Build 23 to provide AAA services for routers/switches login.
I'd like to create a user group that is restricted to only "show" commands when the users log in to the network devices.
I have done the following steps:
(1) Shared Profile Components -> Shell Command Authorization Sets
Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".
(2) Group Setup.
Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".
For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.
For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".
(3) User Setup.
Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.
(4) The AAA commands on the routers/switches are as follows:
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.10.10.10 key 0 tacacskey
When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?
Thank you.
B.Rgds,
Lim TSHi Narayan,
Appreciate your detailed configuration steps.
My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.
See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.
The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.
I came across the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Perhaps it explains the problem here. If I understand it correctly, a user can't see in the output of "sh run" what he can't configure at his privilege level or below.
The same issue happens when I configured the following:
no aaa new-model
username noc privilege 7 password test
privilege exec level 7 show
line vty 0 4
login local
The user "noc" can't do "sh run".
Thank you.
B.Rgds,
Lim TS -
How to enable "Shell Command Authorization Sets"
Hi there
I use aaa over tacacs to verfiy user from ms active directory.
I configured a new "Shell Command Authorization Set" see the attachment for details.
But this does not work. So I just want to test whether the use of a command is working or not.
You can see in the attached file I tried something with "show" command.
But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.
Why does this not work?
Thanx for help
bbHi BB,
This is what you need on IOS device,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
On acs bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Rest all seems to be ok.
~JG
Please rate if that helps -
Command Authorization Set Show Run Permissions Only
Hi All,
I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and this doesn't work as intended.
I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges! I guess this is because I am specifying level 1 access but that's what the doc says to do.......
My config is as follows:
Cisco 2811 Router
aaa new-model
aaa authentication login defaut group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
ACS 4.2 Config
Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
Thanks in advance
DavidAll,
I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place -
Wildcard mask in Shell Command Authorization Set?
Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
ThanksSure. Just tested this on my ACS 3.2 server with the following config:
AAA client:
aaa new-model
aaa authentication login default tacacs
aaa authorization commands 1 default group tacacs
ACS Shell Command Set:
Unmatched Commands = Deny
Command = show
Permit unmatched args = no
args = permit ip *
This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
Hope that helps.
Maybe you are looking for
-
Can't PXE boot a Surface Pro 3 after already successfully imaging it
hey guys. To try to eliminate a lot of the initial question that come up with this issue, I figure I will start with established info. Our SCCM environment is healthy, and all images, drivers and apps are distributed to all of our DP's. We can image
-
Indent doesn't work correctly in Pages
I am updating a 35 page manual, using various section headers, subheaders, lists, etc. The original doc was created in Pages 3, updated to P5.1. There are sections where an indent has been applied and all the text is moved to the right by some dista
-
Bug Database for Sun ONE Studio 8
Is there an online bug database for the Sun ONE Studio 8 Compiler Collection, like there is for all of the Java related tools? I know we have product support, but I don't want to go through the overhead of 4 or 5 layers of people to report a minor pr
-
How to change data usage for email?
Is there a way to change the email settings from Push to Pull, and also email advance settings as far as deleting emails from the servers? In the current email settings the data is set to Automatic (push) without being able to change it. Any suggesti
-
Set default screen parameters in PCH report
Hi.. I have a requirement where i have developed a custom hr report using PCH LDB. The Reporting period on the selection screen defaults to All but i want to default it to Today. Please help. Regards, Riya.