ACS command Authorization on PIX Console

Similar Messages

• Cisco ACS command authorization sets

  I need help on the following please.
  1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
  2. Does anyone know where I can read up on command authorizations sets for ACS ??
  3. What is the debug command for CatOS to see cli output ?
  Many thanks
  Rod

  Thanks for your info. I have solved my problem -
  1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
  This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
  Problem resolved.
  Many thanks.

• ACS command authorization - deny CatOS "set" commands

  Cisco Secure ACS 4.2
  I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
  I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
  How do I go about setting this group up to deny set-based commands for the CatOS devices?

  Hi
  CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
  However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
  Hope that makes sense!

• ACS command authorization report in conf t mode

  Hi, this is probably a quick one, but I couldnt find a solution so far.
  We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication login default group tacacs+ local line enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local 
  aaa authorization commands 1 default group tacacs+ local 
  aaa authorization commands 15 default group tacacs+ local 
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  My guess is that I allow all commands with that and thus no authorization is needed. 
  Any idea?
  Thanks
  Chris

• Problem - acs command authorization and web access control

  Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

  It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
  and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
  configure
  permit terminal
  exit
  permit Unmatched Args
  interface
  permit Dot11Radio0
  no
  permit shutdown
  permit cca
  ping
  permit Unmatched Args
  show
  permit Unmatched Args
  shutdown
  permit Unmatched Args
  telnet
  permit Unmatched Args
  write
  permit memory quiet
  Thanks for the help !

• Command Authorization on ACS

  Hi Guys,
  its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
  So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
  please help me on this.
  Thanks

  Hi ,
  The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
  Pix command,
  username Test password cisco
  username Test privilege 15
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
  Regards,
  ~JG
  Please rate if that helps !

• Pix command authorization problem

  help required
  i am trying to configure pix firewall command authorization using cisco
  secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
  i cant get it to work!
  i have included the pix firewall configuration below and have included
  screen shots of the acs configuration as attachments
  as you can see i can authenticate ok but that is as far as i can go
  as soon as i try and use the enable command authorization fails
  i cant even enter a password
  i have created two shell command authorization sets
  one called admins which is configured to allow all commands
  and one called restricted which restrics me to only a few commands
  if i apply the admins authorization set to the group where the user
  resides i can authenticate and authorize and i have access to all
  commands but if i apply the restrictd authorization set i get the
  problem depicted below
  i would appreciate it if someone could take a look and give me
  some pointers as to where i am going wrong
  regards
  melvyn brown
  interface ethernet0
  nameif outside
  ip address 110.1.1.1 255.255.255.0
  speed 100
  duplex full
  no shut
  interface ethernet1
  nameif inside
  ip address 192.168.8.2 255.255.255.0
  speed 100
  duplex full
  no shut
  route inside 192.168.7.0 255.255.255.0 192.168.8.1
  route inside 192.168.3.0 255.255.255.0 192.168.8.1
  aaa-server ACS1 protocol tacacs+
  aaa-server ACS1 host 192.168.7.2
  key cisco123
  domain-name acme.com
  crypto key generate rsa modulus 1024
  telnet 192.168.3.2 255.255.255.255 inside
  ssh 192.168.3.2 255.255.255.255 inside
  aaa authentication enable console ACS1
  aaa authentication serial console ACS1
  aaa authentication ssh console ACS1
  aaa authentication telnet console ACS1
  aaa authorization command ACS1
  Username: fred
  Password: **********
  Type help or '?' for a list of available commands.
  pixfirewall> en
  Command authorization failed
  pixfirewall> ?
    clear   Reset functions
    enable  Turn on privileged commands
    exit    Exit from the EXEC
    help    Interactive help for commands
    login   Log in as a particular user
    logout  Exit from the EXEC
    ping    Send echo messages
    quit    Exit from the EXEC
    show    Show running system information

  Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

• Command Authotization on Pix 6.3 and ACS v3.3

  Hi,
  I am researching on how to enable command authorization on a pix firewall software v6.3 through an ACS v3.3.
  I only have a production unit so i am very cautious on doing test configuration on the firewall. I might get locked-up and kicked in the butt. =)
  Inputs on the step-by-step configuration of ACS and pix would be greatly appreciated.
  Thanks in advance!
  Jonathan

  Hi
  On the ACS side, the config you choose very much depends on the scale of your deployment.
  If you have one or two users, you can define per-user command authorisation within ACS.
  If you have many users, you should do this at group level.
  Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.
  This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.
  You may also want to use NARs to prevent certain admins even being able to logon to the device.
  So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.
  Then get a copy of extraxi aaa-reports! to audit your ACS logs :)
  Darran

• Specific shell command authorization - ACS/TACACS+ on 2900XL

  Hello all -
  I've been struggling with one particular issue here. I'm running ACS 3.2, and trying to set up secure access to my switches. I have "grad students" from my university that I want to allow to perform specific functions, i.e. change a port's vlan, and write to memory, etc.
  I successfully set up the authorization piece, and my test account can log in. I successfully assign a privilege level of 7 also, which gives me basic look rights by default. Accounting is also working, showing the connections and commands I enter.
  What I want to do is use ACS to enable a specific group of commands, so I can change them if needed in one place (ACS) and not have to touch 400+ devices. ACS says it can do it, but it doesn't seem to work. I created a Shell Command Group and specififed the commands, no luck. Even if I modify the "Unmatched commands" toggle to "permit" (which should allow any commands, right?) it still doesn't allow any commands. I added the Shell Command group to the group the students are members of...
  My AAA commands are as follows:
  aaa new-model
  aaa authentication login default local group tacacs+
  aaa authorization exec default local group tacacs+
  aaa authorization commands 7 default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 7 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  Any ideas? Any thoughts?
  Thanks!
  Michael
  QU.edu

  Hey Steve -
  I tried your recommendation, and it works, kinda. When I turn on that command, after authentication, I get dropped in at Privlege 15 and have full access to commands.
  Unfortunately, this is different than the telnet access in a key way; when I telnet in, I get Priv-15, but I'm restricted on commands I can do based upon ACS authorization of specific commands. When I console in, I have full access to all commands, with no restrictions.
  Additionally, my console access has two level security, with a login password (to Priv-1) and an enable password (to Priv-15). When I use the "Privilege level 15" command, it bypasses the enable password for the local accounts and allows full access with just the login password.
  Maybe I'm asking for too much. (And I appreciate your patience with me!) What I want on the console port is this:
  1. A username prompt
  - this is fine
  2. A password prompt
  - this is fine also
  3. User name & PW are authenticated against ACS
  - this works
  4. If user is a valid ACS user, they should receive Priv-15 rights and be restricted by the commands they are authenticated to use in ACS
  - this does not work. They only receive Priv-15 if I use "privilege level 15", but they are not restricted at all to certain commands. (They _are_ restricted under telnet however.)
  5. If a user is not a valid ACS but a local account exists, the user gets dumped to a Priv-1 prompt, and must enter the enable to get to Priv-15. (This also is how it works under telnet.)
  Sorry if this really confusing, it's difficult to explain in a forum. I'm basically looking for the same behavior from a console connection as from a telnet connection; I'm not sure why it's so difficult to do...
  Michael

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• ACS - Shell Command Authorization Sets

  Hi,
  I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
  Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
  permit port-security
  permit mac address-table'
  I've also ticked 'Permit unmatched args'
  At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
  Test Timed out for service: CSAdmin
  Test Timed out for service: CSAuth
  Test Timed out for service: CSDbSync
  Test Timed out for service: CSLog
  I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
  Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
  Thanks!!
  Steve

  Thanks for your reply!
  there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
  I am using ACS v 4.1.
  While I receive the service messages and also when they go away - I always have the authorisation problem.
  Thanks
  Steve

• Command Authorization in ACS

  Hi,
  Can anybody tell me how can I permit only ping command to a group in ACS. What is the actual statement that I want to add in command authorization sets.

  Hi Prem,
  Can you let me know how can i restrict a group from adding a route. I have the following configured on the ACS under shell authorization
  configure ......permit terminal
  interface ......permit fastethernet (permit Unmatched arg)
  show............permit vlan
  switchport......permit access &
  permit vlan
  With the above configuration iam still able to add a route to the config
  Also i would like to know the wildcard to be used for enabling all the fastethernet or Ge ports
  thanks in advance
  Narayan

• Command Authorization in ACS 5.0

  Hi,
  Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
  OR
  USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
  Assigned specified commands to level 2
  privilege exec level 2 undebug all
  privilege exec all level 2 debug
  The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
  Also if i want to do shell command authorization set,how can i do it in ACS 5.0
       Thanks,

  You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.

• IOS XR Command authorization with ACS server

  We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
  In ACS, we have two groups: Group 1 and Group 2
  Group 1 allows full access in the shell command authorization set.
  Group 2 allows limited access in the shell command set (basically just show commands).
  Both groups can login fine (aaa authentication login default group <groupname> local)
  Group 1 has full access to everything (group I am in). 
  Group 2 has NO access to anything (can't even perform show commands).
  Group 2 CAN access other IOS devices and can perform the various show commands.
  With regards to our authorization commands, we currently have it configured as:
  aaa authorization commands default group <groupname> local
  Why is it working for the one group, but not the other?  I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with.  I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
  Thanks!
  Kyle

  dont have enough info to give you a full conclusive answer Kyle, but some suspicions.
  Task group not set right?
  Command groups not defined properly in tacacs for command author.
  if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
  More info here:
  https://supportforums.cisco.com/docs/DOC-15944
  xander