ACS command privileges

Similar Messages

• ACS command Authorization on PIX Console

  I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
  aaa-server TACACS+ (inside) host 172.28.x. xx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
  ACS down, i wana to get console and access the device by using local username and password
  but now after this configuration when i try to access the firewall via console, i m getting error of
  command authorization fail.
  I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
  I have made the command authorization set in ACS and it is working fine for me,

  kindly once again check my modified configuration,
  I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
  aa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (edn) host 172.28.31.132
  aaa-server TACACS+ (edn) host 172.28.31.133
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console LOCAL
  aaa authorization command TACACS+ LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but i m not able to login i m getting following eror
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> enable
  Command authorization failed
  i also defined the local command authorization set like this
  privilege cmd level 15 mode exec command exit
  privilege show level 5 mode exec command running-config
  privilege show level 15 mode exec command version
  privilege show level 0 mode exec command access-list
  privilege show level 0 mode configure command access-list
  privilege cmd level 15 mode configure command exit
  privilege cmd level 15 mode configure command no
  privilege cmd level 0 mode configure command access-list
  privilege cmd level 15 mode interface command exit
  privilege cmd level 15 mode subinterface command exit
  privilege cmd level 15 mode dynupd-method command exit
  privilege cmd level 15 mode trange command exit
  privilege cmd level 15 mode route-map command exit
  privilege cmd level 15 mode router command exit
  privilege cmd level 15 mode ldap command exit
  privilege cmd level 15 mode aaa-server-host command exit
  privilege cmd level 15 mode aaa-server-group command exit
  privilege cmd level 15 mode context command exit
  privilege cmd level 15 mode group-policy command exit
  privilege cmd level 15 mode username command exit
  privilege cmd level 15 mode tunnel-group-general command exit
  privilege cmd level 15 mode tunnel-group-ipsec command exit
  privilege cmd level 15 mode tunnel-group-ppp command exit
  privilege cmd level 15 mode mpf-class-map command exit
  privilege cmd level 15 mode mpf-policy-map command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-param command exit
  Please tell me how to solve this problem

• ACS Command line login..

  Hi
  I have a superadmin account in ACS.
  with this account i can able to login GUI but can't able to login CLI mode.
  what could be the problem ?

  Hello Tony,
  The ACS GUI Administrator accounts and CLI Administrator accounts are different. You cannot login with GUI accounts into CLI.
  You need to use CLI created accounts to access the ACS command line. You should have created one when first installing the ACS 5.x.
  If this was helpful please rate.

• Problem - acs command authorization and web access control

  Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

  It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
  and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
  configure
  permit terminal
  exit
  permit Unmatched Args
  interface
  permit Dot11Radio0
  no
  permit shutdown
  permit cca
  ping
  permit Unmatched Args
  show
  permit Unmatched Args
  shutdown
  permit Unmatched Args
  telnet
  permit Unmatched Args
  write
  permit memory quiet
  Thanks for the help !

• Host command privileges

  Hello,
  If my form does a host('cmd /c dir > d:\output.txt') I get the resulting listing on my application server but if I do a host('cmd /c net send myhost ping > d:\ouput.txt) I get an output.txt of size 0 and no message is sent. I have tried sending the message manually from the appserver and it works fine.
  Are there some restrictions on executing commands through the host command (the appserver processes run with administrator privileges so that shouldn't be a problem)? If there are restrictions, what would be the best way to get around them (wrappers etc)?
  Thanks in advance,
  Nik

  If it is a problem with privileges, you can try to use CPAU program (http://www.joeware.net/win32/) to run a command with privileges of a specified user.

• Cisco ACS command authorization sets

  I need help on the following please.
  1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
  2. Does anyone know where I can read up on command authorizations sets for ACS ??
  3. What is the debug command for CatOS to see cli output ?
  Many thanks
  Rod

  Thanks for your info. I have solved my problem -
  1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
  This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
  Problem resolved.
  Many thanks.

• ACS command authorization - deny CatOS "set" commands

  Cisco Secure ACS 4.2
  I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
  I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
  How do I go about setting this group up to deny set-based commands for the CatOS devices?

  Hi
  CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
  However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
  Hope that makes sense!

• ACS command authorization report in conf t mode

  Hi, this is probably a quick one, but I couldnt find a solution so far.
  We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication login default group tacacs+ local line enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local 
  aaa authorization commands 1 default group tacacs+ local 
  aaa authorization commands 15 default group tacacs+ local 
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  My guess is that I allow all commands with that and thus no authorization is needed. 
  Any idea?
  Thanks
  Chris

• Enabling Privilege Levels when ACS is Down

  Hi,
  I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.
  adminro is read only and will have a privilege level of 7.
  adminrw is a full access account with a priv level of 15.
  I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:
  PPD-ELPUF5/pri/act> en 7
  Enabling to privilege levels is not allowed when configured for
  AAA authentication. Use 'enable' only.
  If I login using "enable", my read only account now has full configuration access which is not desireable.
  My AAA configuration is as follows:
  aaa authentication ssh console ADMIN LOCAL
  aaa authentication enable console ADMIN LOCAL
  aaa authentication http console ADMIN LOCAL
  aaa authentication telnet console ADMIN LOCAL
  aaa authentication serial console ADMIN LOCAL
  aaa authorization command ADMIN LOCAL
  aaa accounting ssh console ADMIN
  aaa accounting command privilege 15 ADMIN
  aaa accounting enable console ADMIN
  aaa accounting serial console ADMIN
  aaa accounting telnet console ADMIN
  aaa authorization exec authentication-server
  username adminro password <REMOVED> encrypted privilege 7
  username adminrw password <REMOVED> encrypted privilege 15
  enable password <REMOVED> level 7 encrypted
  enable password <REMOVED> encrypted
  Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).
  Thanks!

  PPD-ELPUF5/pri/act# sh curpriv
  Username : adminro
  Current privilege level : 7
  Current Mode/s : P_PRIV
  Server Group:    ADMIN
  Server Protocol: tacacs+
  Server Address:  1.150.1.80
  Server port:     49
  Server status:   FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011
  Number of pending requests              0
  Average round trip time                 2ms
  Number of authentication requests       38
  Number of authorization requests        373
  Number of accounting requests           149
  Number of retransmissions               0
  Number of accepts                       307
  Number of rejects                       19
  Number of challenges                    0
  Number of malformed responses           0
  Number of bad authenticators            0
  Number of timeouts                      234
  Number of unrecognized responses        0
  PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE
  PPD-ELPUF5/pri/act(config)# sh run name
  name 1.1.1.1 TEST description TEST CHANGE
  As you can see above, my user was able to perform a change even though it should not be allowed.
  PPD-ELPUF5/pri/act(config)# sh run privilege
  privilege cmd level 7 mode exec command show
  privilege cmd level 7 mode exec command ping
  privilege cmd level 7 mode exec command traceroute

• ACS 5.1 command authorization in config mode

  Hello all,
  I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
  Before I've search this forum and found 2 posts:
  https://supportforums.cisco.com/thread/2041611
  https://supportforums.cisco.com/message/3057298
  that suggest to have the AAA configured with:
  aaa authorization config-commands
  I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  Did I miss something? Do you have any suggestion for me?
  Thank you!
  Calin

  can you run a "debug aaa authorization" to see what happens?

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Privilege command

  Hi,
  I'd like using this command:
  privilege mode [all] level level command-string
  But "all" is not present on my different Router & Switch.
  I use this IOS for my catalyst 3550 : c3550-ipservicesk9-mz.122-35.SE
  Anybody can help me ?
  Best regards

  Hi Jean
  Use privilge 15 instead privilege all
  Regards

• Question about usage of aaa accounting commands

  Hi everyone,
  I have the problem that Cisco routers and switches do not send some accounting command
  information to ACS.
  Accounting commands do not send to ACS are "show log" and "show version".
  Accounting commands send to ACS are "show runn", "conf t" and "debug"
  The configuration of routers and switches is the following
  aaa new-model
  aaa authentication login default group tacacs+ line
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host xxx.xxx.xxx.xxx key yyyy
  I think the commands do not send to ACS are privilege level 1 command and the commands
  send to ACS are privilege level 15 command.
  So I need to additional aaa accounting command below to get routers and switches send level 1
  command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
  so need to configure "aaa accounting commands 1" for level 1 commands.
  aaa accounting commands 1 default start-stop group tacacs+
  Is my understanding correct ?
  Your information would be greatly appreciated.
  Best regards,

  Hi,
  plese do this and the router will send
  everything to the ACS server, except
  whatever you are doing to the router in http:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication VTY
  ip http authentication aaa exec-authorization VTY
  tacacs-server host 192.168.15.10 key 7 1446405858517C
  tacacs-server directed-request
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line aux 0
  session-timeout 35791
  exec-timeout 35791 23
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication notac
  transport input all
  line vty 0
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  David
  CCIE Security

• Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

  1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
  2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
  3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
  Thanks in advance,
  Matt

  Try this:
  aaa authentication enable console
  aaa authorization command
  on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

• AAA authorization with ACS 3.2

  I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local
  aaa accounting exec default start-stop group tacacs+
  I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

  Marek
  1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
  2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
  I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
  3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
  I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
  4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
  HTH
  Rick