ACS command privileges
hi all,
we are using ACS version 5.3.0.40, NAME: "CSACS-1121-K9 chassis", DESCR: "CSACS-1121-K9.
we have diferents access groups of users, and we want that one of them can acess the devices in a location and can use all command without privilege
mode (all that are befor enable)
at this way: Policy Elements > Authorization and Permissions > Device Administration > Command Sets:
we created a command set to permit:
telne*
ssh*
show*
regards
Mauro Silva
Hi Lopez, we dont know how to do what we already explained above.
know we are only using this commands:
telne*
ssh*
show*
Regards
Mauro Silva
Similar Messages
-
ACS command Authorization on PIX Console
I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
ACS down, i wana to get console and access the device by using local username and password
but now after this configuration when i try to access the firewall via console, i m getting error of
command authorization fail.
I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
I have made the command authorization set in ACS and it is working fine for me,kindly once again check my modified configuration,
I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem -
ACS Command line login..
Hi
I have a superadmin account in ACS.
with this account i can able to login GUI but can't able to login CLI mode.
what could be the problem ?Hello Tony,
The ACS GUI Administrator accounts and CLI Administrator accounts are different. You cannot login with GUI accounts into CLI.
You need to use CLI created accounts to access the ACS command line. You should have created one when first installing the ACS 5.x.
If this was helpful please rate. -
Problem - acs command authorization and web access control
Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.
It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help ! -
Hello,
If my form does a host('cmd /c dir > d:\output.txt') I get the resulting listing on my application server but if I do a host('cmd /c net send myhost ping > d:\ouput.txt) I get an output.txt of size 0 and no message is sent. I have tried sending the message manually from the appserver and it works fine.
Are there some restrictions on executing commands through the host command (the appserver processes run with administrator privileges so that shouldn't be a problem)? If there are restrictions, what would be the best way to get around them (wrappers etc)?
Thanks in advance,
NikIf it is a problem with privileges, you can try to use CPAU program (http://www.joeware.net/win32/) to run a command with privileges of a specified user.
-
Cisco ACS command authorization sets
I need help on the following please.
1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
2. Does anyone know where I can read up on command authorizations sets for ACS ??
3. What is the debug command for CatOS to see cli output ?
Many thanks
RodThanks for your info. I have solved my problem -
1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
Problem resolved.
Many thanks. -
ACS command authorization - deny CatOS "set" commands
Cisco Secure ACS 4.2
I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
How do I go about setting this group up to deny set-based commands for the CatOS devices?Hi
CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
Hope that makes sense! -
ACS command authorization report in conf t mode
Hi, this is probably a quick one, but I couldnt find a solution so far.
We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
My guess is that I allow all commands with that and thus no authorization is needed.
Any idea?
Thanks
Chris -
Enabling Privilege Levels when ACS is Down
Hi,
I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.
adminro is read only and will have a privilege level of 7.
adminrw is a full access account with a priv level of 15.
I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:
PPD-ELPUF5/pri/act> en 7
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.
If I login using "enable", my read only account now has full configuration access which is not desireable.
My AAA configuration is as follows:
aaa authentication ssh console ADMIN LOCAL
aaa authentication enable console ADMIN LOCAL
aaa authentication http console ADMIN LOCAL
aaa authentication telnet console ADMIN LOCAL
aaa authentication serial console ADMIN LOCAL
aaa authorization command ADMIN LOCAL
aaa accounting ssh console ADMIN
aaa accounting command privilege 15 ADMIN
aaa accounting enable console ADMIN
aaa accounting serial console ADMIN
aaa accounting telnet console ADMIN
aaa authorization exec authentication-server
username adminro password <REMOVED> encrypted privilege 7
username adminrw password <REMOVED> encrypted privilege 15
enable password <REMOVED> level 7 encrypted
enable password <REMOVED> encrypted
Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).
Thanks!PPD-ELPUF5/pri/act# sh curpriv
Username : adminro
Current privilege level : 7
Current Mode/s : P_PRIV
Server Group: ADMIN
Server Protocol: tacacs+
Server Address: 1.150.1.80
Server port: 49
Server status: FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011
Number of pending requests 0
Average round trip time 2ms
Number of authentication requests 38
Number of authorization requests 373
Number of accounting requests 149
Number of retransmissions 0
Number of accepts 307
Number of rejects 19
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 234
Number of unrecognized responses 0
PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE
PPD-ELPUF5/pri/act(config)# sh run name
name 1.1.1.1 TEST description TEST CHANGE
As you can see above, my user was able to perform a change even though it should not be allowed.
PPD-ELPUF5/pri/act(config)# sh run privilege
privilege cmd level 7 mode exec command show
privilege cmd level 7 mode exec command ping
privilege cmd level 7 mode exec command traceroute -
ACS 5.1 command authorization in config mode
Hello all,
I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
Before I've search this forum and found 2 posts:
https://supportforums.cisco.com/thread/2041611
https://supportforums.cisco.com/message/3057298
that suggest to have the AAA configured with:
aaa authorization config-commands
I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
Did I miss something? Do you have any suggestion for me?
Thank you!
Calincan you run a "debug aaa authorization" to see what happens?
-
Enable aaa accounting commands for all privilege levels?
Here is the command's syntax:
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
Take the following example:
aaa accounting commands 15 default start-stop group mygroup
If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
How can I log all commands regardless of privilege level?Hi Red,
If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
You can find the command detail at. This is for ASA though.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Hi,
I'd like using this command:
privilege mode [all] level level command-string
But "all" is not present on my different Router & Switch.
I use this IOS for my catalyst 3550 : c3550-ipservicesk9-mz.122-35.SE
Anybody can help me ?
Best regardsHi Jean
Use privilge 15 instead privilege all
Regards -
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Dynamic User Group Role for ASA 8 ACS 4 External Windows DB
1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
Thanks in advance,
MattTry this:
aaa authentication enable console
aaa authorization command
on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode. -
AAA authorization with ACS 3.2
I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.Marek
1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
HTH
Rick
Maybe you are looking for
-
Txt output problem,cannot order the output
Hi, I'm working with forms and reports 6i, and I have a problem when generating the .txt output. My report consists in some columns (database-scalar) from the main query and in some columns(formula). What I'm trying to do is to mix the order of colum
-
Can't print to pdf since I installed Snow Leopard.
I make newspaper ads all the time in Illustrator CS4 on a Mac. I always print them to pdf files. Never had any trouble doing this. However, since I installed Snow Leopard I can not print to pdfs. I go through the usual motions and then... just nothin
-
TS1398 network problem with new upgrate
I never had any problems with my I Phone 4s until I upgraded to the new IOS6. I want to go into my banking accounts like I always did but it constantly says " Safari cannot open the page because it could not establish a secure connection to the ser
-
Insertion Data Containing Special Characters
Hi, I exported my table data to an ascii file using TOAD, which created the insert statements for me. I intend to insert these data to another database. The problem is that the data contains some characters like single quote and ampersand which would
-
WLS 10.3.0.0 Solaris SPARC and DBMS Oracle 10gR2 connection pooling issue
Hi all, we are currently testing Weblogic Server 10.3.0.0 in order to migrate our production system from WLS 8.1 to it. While testing the new setup, we encountered some strange behaviour of the connection pooling within WLS. We configured a XA-Connec