ACS matching too much on shell command sets

I have a problem with ACS, I only want to give users access to gig1/0/1 but ACS matches 1/0/10, 1/0/11, 1/0/12...1/0/19 in my command set (the statement is set to permit GigabitEthernet 1/0/1). How do I tell it to match only 1/0/1 and nothing else?
Thanks!!

interface--------permit GigabitEthernet [1] [0] [1]
Or
interface--------permit GigabitEthernet [1][0][1]
Regards,
Prem
Please rate if it helps!

Similar Messages

  • ACS 4.0, only 1 Shell Command auth. set possible

    Hi all,
    I am wondering if this is a "hidden feature" of the evaluation software or a bug...
    I am currently running Cisco Acs server v.4.0 (evaluatie version) Win2k3 platform; with authentication, authorization and accouting.
    In a nutshell I have the following setup:
    - group1 uses: Shell Command Authorization Set1
    - group2 uses: Shell Command Authorization Set2
    Problem: Users in group2 are somehow authorized against the commands listed in Shell Auth. Comm. set1 instead of the configured Shell Auth. Comm. set2
    Is it possible that with the evaluation software only one Shell Command Authorization Set is allowed to be active? Does anyone know?
    Many thx
    Sander

    Problem resolved by renaming authorization sets and reloading ACS......
    thx Sander

  • ACS 5.3 Shell Command Set

    Hi all,
    Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets no able to deny. Example like below:
    i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
    the command i issue at below:
    deny enable secret -> working
    deny no enable secret  -> no working
    Anyone got idea to make the no working argument become working?

    Hi there,
    I just did a test in my ACS using your requirements and it worked fine, check below my configuration it may help you:
    I am using the following AAA commands:
    Switch(config)#do sh run | i aaa
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa session-id common
    Switch(config)#
    Rate if it helps!

  • Tacacs problem with ACS 4.2 NDG and shell authorization sets

    Hi all,
    I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
    I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
    One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
    Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
    Thanks everyone....

    Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
    What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
    Thanks,
    Tarik Admani

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • Show config not working in ACS "Shell Command Auth set"

    To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)

    Hi,
    I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
    Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
    ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

  • ACS shell command authorization help

    Hello,
    I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
    Thanks

    Two things could be wrong
    1) You don't have the following command on your AAA Client:
    aaa authorization config-commands
    2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards
    Farrukh

  • Wildcard mask in Shell Command Authorization Set?

    Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
    For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
    Thanks

    Sure. Just tested this on my ACS 3.2 server with the following config:
    AAA client:
    aaa new-model
    aaa authentication login default tacacs
    aaa authorization commands 1 default group tacacs
    ACS Shell Command Set:
    Unmatched Commands = Deny
    Command = show
    Permit unmatched args = no
    args = permit ip *
    This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
    Hope that helps.

  • Too much Data, not enough Time.

    Alright, So I have a problem...Guess thats why I am here.
    I have a bulk of information after digitizing a few days shoot, the problem is, Its takes so long to transfer the information in HD format and I have multiple transfers I would like set up, however the computer seems to crash when multiple transfers going. Also sometimes I need to set up transfers where the original file needs to be in 2-3 locations. Causing a time issue.
    So what I am looking for, is something along the lines that will allow me to line up a bunch of transfers individually, that can be done while I am not at the office.
    any suggestions?

    In my experience, rsync [http://rsync.samba.org> is by far the best utility for pushing data around quickly. It has a learning curve if you're not too familiar with shell commands, but is well worth the effort to learn.
    Forgot to mention, if you are running 10.4 or later, rsync already comes bundled with your os.
    Message was edited by: Wherrito

  • ACS Shell Command Authorization Set + restricted Access

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi  ,
    I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
    Thanks in Advance
    Regards
    Vineeth

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi Jatin ,
    first of all Thank you very much . It startted working after aaa authorization config-commands
    here I was trying to achive one  specfic  thing .
    I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
    But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
    Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
    Thanks and Regards
    Vineeth

  • ACS - Shell Command Authorization Sets

    Hi,
    I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
    Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
    permit port-security
    permit mac address-table'
    I've also ticked 'Permit unmatched args'
    At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
    Test Timed out for service: CSAdmin
    Test Timed out for service: CSAuth
    Test Timed out for service: CSDbSync
    Test Timed out for service: CSLog
    I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
    Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
    Thanks!!
    Steve

    Thanks for your reply!
    there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
    I am using ACS v 4.1.
    While I receive the service messages and also when they go away - I always have the authorisation problem.
    Thanks
    Steve

  • Shell profile without a Command Set in ACS 5.1 - TACACS

    Hi all,
    I have created a shell profile with a default Privilege level of 15, I am able to successfully call this via an Access Service Rule. The issue I have however is that depite having the # symbol after I log in, the switch will only allow me to perform priv 15 level commands if I also bind an 'Allow All' command set to the results in the access service rule.
    Is this how it should work or should the shell profile alone with the priv 15 setting be enough? Am I missing something?
    The reason I ask is that in ACS 4.2 I would just set the tick Shell (exec) and set the Priv level to 15 in the appropriate group and would be good.
    Thanks in advance
    Rhodri

    FYI
    The issue here was the use of the 'aaa authorization commands' command.
    If I don't use these commands, then I only need the shell profile as no command authorization takes place post authentication.
    If using these commands, then you must also bind a command set to the results of the rule as the NAD will query the AAA server for each command.
    If I want to permit all commands for a certain priv level, I use a 'permit all commands' command set which will then allow all commands within a specific priv level.
    Here's an example NAD config:
    aaa group server tacacs+
    server 10.10.10.10
    aaa authentication login default local
    aaa authentication login Primary group local
    aaa authentication login Secondary local
    aaa authorization config-commands
    aaa authorization exec default group if-authenticated
    aaa authorization commands 0 default group if-authenticated
    aaa authorization commands 1 default group if-authenticated
    aaa authorization commands 3 default group if-authenticated
    aaa authorization commands 15 default group if-authenticated
    aaa accounting exec default start-stop group
    aaa accounting commands 0 default start-stop group
    aaa accounting commands 1 default start-stop group
    aaa accounting commands 3 default start-stop group
    aaa accounting commands 15 default start-stop group
    line con 0
    login authentication Secondary
    line vty 0 4
    login authentication Primary
    Hope this helps someone

  • AAA with CatOS and ACS (shell command autorization set)

    Hi,
    I have an ACS that authenticates and authorizes IOS devices.
    I use "shell command autorization set" to authorize some commands for some groups.
    Is it possible to do so with CatOS?
    For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?
    Regards,
    ROMS

    Console> (enable) set tacacs server [IP] [primary]
    set tacacs key [key]
    set tacacs attempts [number] (optional)
    set localuser user [user] password [password] privilege 15
    set authentication login local enable
    set authentication login tacacs enable [all | console | http | telnet] [primary]
    set authorization exec enable tacacs+ [deny | none] [console | telnet | both]
    set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]
    regards,
    ~JG

  • ACS - Shell Command Authorization Set

    Hi
    i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below
    privilege exec level 5 show ip route
    aaa authorization commands 5 TELNET group tacacs+
    aaa authorization exec TELNET group tacacs+
    aaa authentication login TAC group tacacs+
    tacacs-server host 10.0.0.100 key ccie-acs
    radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
    line vty 0 4
      password cisco
      authorization commands 5 TELNET
      authorization exec TELNET
      login authentication TAC

    By default, there are three command levels on the router:
        privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
        privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
        privilege level 15 — Includes all enable-level commands at the router# prompt.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
    Hope this helps.
    Regards,
    Jatin
    Do rate helpful posts-

  • ACS Shell Command Authorizations Set

    I have Cisco ACS Server V4.0
    In the shell Command Authorization Set I configure a restrict Access.
    In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
    Why This?

    I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

Maybe you are looking for

  • User-Exit for document changes (status)

    Hi! I'm looking for an user-exit where I can check if the status of the document has been changed. Therefore I found the exit "EXIT_SAPLCV110_004" with the include "ZXCV110U04" which is triggered when a document (transaction CV02N) is saved. The prob

  • Servlets , JSP, JSTL ,etc

    Hello In my Web project , I have used servlets, JSP , JSTL and JDBC to develop a Website, and now I am preparing a report about it. Please forgive me if this question sounds "not very smart" , but kindly help. Is it correct to mention in my report I

  • Gmail and facetime

    When I try to add my aol and gmail emails to FaceTime the touch takes the aol address but I get an error message for the gmail one saying it is in use.   I want to use the gmail as default - help please!

  • POA Soap Settings for Large Email (Large Attachment)

    Hi, I have posted in the Soap support forums but I remain with a feeling our POA has somekind of switch on or off... Groupwise 7.0 SP 3 When calling sendItemRequest(Email) for email larger then 12 meg's the itemResponse is null. Note: The sendItemReq

  • I really need to speak with a live representative

    can someone give me the telephone number to customer service