ACS shell authorization
IS it possible to configure shell authorization when the privelege level is set to anything less than 15
What i am doing right now is configuring a level 15 access and restricting the commands through shell sets. When i try to assign any other privelege level it doesn't seem to work.
HTH
Narayan
Narayan,
Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.
So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.
After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.
Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.
Hope this helps
Similar Messages
-
Tacacs problem with ACS 4.2 NDG and shell authorization sets
Hi all,
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
Thanks everyone....Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
Thanks,
Tarik Admani -
ACS shell command authorization help
Hello,
I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
ThanksTwo things could be wrong
1) You don't have the following command on your AAA Client:
aaa authorization config-commands
2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards
Farrukh -
AAA Authorization with ACS Shell-Sets
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...) -
ACS - ASA Authorization and Accounting
Hi
I have some questions regarding authorization and accounting on ASA via ACS server
when I enable the command "aaa authorization command " to control SSH users commands I get locked out on console then i have to configure the console , telnet , and enable to be authenticated via tacacs too , is there any way to authorize SSH via tacacs while keeping Console and telnet authenticated locally or even no authentication ?
i issued accounting command "aaa accounting command TAC" on ASA but i noticed that the ACS just logs commands in configuration mod "privilege 15 " not any show command or privilege 1 , is there any way to fix this ?
does RADIUS support SHELL authorization ?
thanks for your support1.] Unfortunately, there currently isn't any way to exclude command authorization from the serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
2.] When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
Regards,
Jatin
Do rate helpful posts- -
Show config not working in ACS "Shell Command Auth set"
To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)
Hi,
I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml -
ACS - Shell Command Authorization Sets
Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
SteveThanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve -
ACS Shell Command Authorization Set + restricted Access
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi ,
I have tried to Create a restricted Access Shell Command Authorization Set on ACS as told on the Cisco Url
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
After I applied the same on a User Group I found the users on the group have complete access after typing the conf t on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and let me know any thing need to be done specially from My Side
Thanks in Advance
Regards
Vineeth/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Jatin ,
first of all Thank you very much . It startted working after aaa authorization config-commands
here I was trying to achive one specfic thing .
I want to stop the following commands on ACS “switchport trunk allowed vlan 103” . I only want allow “add” after “vlan” and block rest all arguments
But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
Thanks and Regards
Vineeth -
ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration
Hi,
I need to activate a control privileges of users on various devices.
I found this interesting document:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
All users (read and full access) access on a not priviledge mode.
WHY?
I have a ACS v3.3 build 2
I have a 2960-24TC with IOS 12.2.25SEE3
I tried with a acs v4.1 without success.
Thanks.If you want user to fall directly in enable mode,then you should have this command,
aaa authorization exec default group tacacs+ if-authenticated
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG -
ACS Shell Command Authorizations Set
I have Cisco ACS Server V4.0
In the shell Command Authorization Set I configure a restrict Access.
In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
Why This?I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.
-
Acs 5.2 shell authorization sets
Can someone point me to a guide on how to configure shell auth sets in 5.2
I have done it in 4.2 but can't seem to get it working in new version
Requirement is to just allow shut / no shut command but as soon as I give access to config terminal the user gets all access
Narayan
Sent from Cisco Technical Support iPhone AppHi,
Please do the following:
Policy elements > Command Sets > Create
Give a name
Enter the grant condition , commands and arguments
Click on ADD
Click on Submit
Click on Access-policy > Device Default Access > Authorization > Customize
Customized results > Available:Select Command set > Move to selected
ok.
Select the rule to apply TACACS authorization on the default device admin authorization page.
In the results of the shell profile Command set . Click on Select and select the command set you created.
Click on Ok.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
ACS - Shell Command Authorization Set
Hi
i am trying to set specific SHOW arguments for a user , but the user always gain access to all show arguments , please find below
privilege exec level 5 show ip route
aaa authorization commands 5 TELNET group tacacs+
aaa authorization exec TELNET group tacacs+
aaa authentication login TAC group tacacs+
tacacs-server host 10.0.0.100 key ccie-acs
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
line vty 0 4
password cisco
authorization commands 5 TELNET
authorization exec TELNET
login authentication TACBy default, there are three command levels on the router:
privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
Hope this helps.
Regards,
Jatin
Do rate helpful posts- -
ACS command authorization - deny CatOS "set" commands
Cisco Secure ACS 4.2
I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
How do I go about setting this group up to deny set-based commands for the CatOS devices?Hi
CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
Hope that makes sense! -
ACS-Shell commmand author. problem
I have setup shell commands for the helpdesk to do basic viewing of the router. Is there a way to limit what they can do in config mode and how do i configure that on the ACS. For instance if I want the helpdesk to enable a port on a 3560 switch.
This is in the test router:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
Thanks in advance"aaa authorization commands ....." doesn't include authorization for commands done in config mode. To enable that add the command:
aaa authorization config-commands
Then add the "set port enable" (or whatever) command into the TACACS authorization profile on the ACS server just like any other command. Note that you'll have to allow them to get into config mode in the first place though. -
Problem - acs command authorization and web access control
Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.
It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help !
Maybe you are looking for
-
Problem to connect to D-Link DIR-655
I have MacBook Pro with Lion 7.1 and a router D-link DIR 655 (with latest firmware). I have had problem with the WiFi connection now and then. Just now I can not see my router in list but I can see many neigbours. It happends that I can see the route
-
Disabling Auto-Load option on Context Window
Greetings to everyone, I have a request for something we have been working on for the school district I work for and we are currently at an impass on this matter. We have a restricted account for students to use. One problem we are running into is th
-
Compressor 1.2.1 problems
Suddenly my long conversions to Mpeg-2 (for DVD project) is failing or just taking forever. It usually takes about 25 hours for a 150 minute piece but, without any changes to software or hardware, compressor started failing and now it just keeps addi
-
for(int i = 2; i < 4; i++) for(int j = 2; j < 4; j++) assert i!=j : i; what will be the output and why
-
i can search with spotlight in a finder window, but i cant do it from the blue spotlight icon in the upper right corner of the screen. i have read in another thread that i can resize my screen to make it come back , and this works, but every time i r