ACS VMS Authorization
(Also posted in network management)
We are running the latest version of ACS, VMS and Cisco Works. The problem that we are having is that we can authenticate off of the ACS server but when we try to edit anything on the VMS it states that we do not have the appropriate permissions to edit.
I have it set up for both users and the group to have System Admin rights in the ACS under the registered services. I can see in the ACS logs that the user authenticates using TACACS+ and logs into the service but then fails to get authorization to edit the settings. There is no error or failed authorization attempt in the failed attempts log on the ACS.
If I remove permissions by checking none in the user setup on the ACS in the failed attempts log it generates a:
Author failed
service=idscfg authorize-device=172.30.xxx.xxx cmd*admin_modify
Author failed
service=idscfg authorize-device=172.30.xxx.xxx cmd*deployment_view cmd*deployment_deploy cmd*deployment_approve cmd*deployment_generate
The TACACS+ Administration logs show:
reyxxxxx xxx users Login 1 idscfg
If I give them System Admin rights in the ACS I get the same TACACS+ administration log entry but NO entries in the Failed Attempts log. The VMS then say that the user does not have the appropriate permissions to edit the group. Would it not have the same Failed Attempt log entry if it was failing to get authorization from ACS?
Any advice?
The following link has more information on VMS database restoration.
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_3/winig2_3/qsch4.pdf
Similar Messages
-
Cisco ACS command authorization sets
I need help on the following please.
1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
2. Does anyone know where I can read up on command authorizations sets for ACS ??
3. What is the debug command for CatOS to see cli output ?
Many thanks
RodThanks for your info. I have solved my problem -
1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
Problem resolved.
Many thanks. -
ACS + Device Authorization Failure
Good Afternoon:
I hoping someone can help me out... I have an ACS configured with a group that is setup for admins. This group is mapped to an AD group. This is setup correctly. On each network device are the commands:
aaa authorization exec default group tacacs+ if-authenticated
I can create a local user and place them into the aformentioned group and the TACACs authentication and authorization work fine. However, I cannot use that same local group mapped to a AD group and a user in that group. It passes authentication but I get an authorization failure in my logs (ACS) and a authorization failed message on the device.
Any ideas?
Thanks!ACS has extensive logging capabilities that allow an administrator to troubleshoot any issue pertaining to the ACS server itself (for example, replication) or an AAA request problem (for example, an authentication problem) from NAS.
Refer the following url for more info on troubleshooting ACS:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html -
ACS command authorization - deny CatOS "set" commands
Cisco Secure ACS 4.2
I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
How do I go about setting this group up to deny set-based commands for the CatOS devices?Hi
CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
Hope that makes sense! -
I'm trying to authorize users on a vpn against MS active directory through an ACS. I can get RADIUS authentication to work, but I need to be able to limit access based on user, and so far all I'm getting is just authentication. Is there a way to map a vpn 3000 group to an ACS group?
The Cisco VPN 3000 Concentrator has the ability to lock users into a Concentrator group which overrides the group the user has configured in the Cisco VPN 3000 Client. In this way, access restrictions can be applied to various groups configured on the VPN Concentrator with the assurance that the users are locked into that group with the RADIUS server.
For configuration section refer to the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml -
ACS command authorization report in conf t mode
Hi, this is probably a quick one, but I couldnt find a solution so far.
We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
My guess is that I allow all commands with that and thus no authorization is needed.
Any idea?
Thanks
Chris -
Problem - acs command authorization and web access control
Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.
It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help ! -
ACS - ASA Authorization and Accounting
Hi
I have some questions regarding authorization and accounting on ASA via ACS server
when I enable the command "aaa authorization command " to control SSH users commands I get locked out on console then i have to configure the console , telnet , and enable to be authenticated via tacacs too , is there any way to authorize SSH via tacacs while keeping Console and telnet authenticated locally or even no authentication ?
i issued accounting command "aaa accounting command TAC" on ASA but i noticed that the ACS just logs commands in configuration mod "privilege 15 " not any show command or privilege 1 , is there any way to fix this ?
does RADIUS support SHELL authorization ?
thanks for your support1.] Unfortunately, there currently isn't any way to exclude command authorization from the serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
2.] When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
Regards,
Jatin
Do rate helpful posts- -
ACS command Authorization on PIX Console
I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
ACS down, i wana to get console and access the device by using local username and password
but now after this configuration when i try to access the firewall via console, i m getting error of
command authorization fail.
I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
I have made the command authorization set in ACS and it is working fine for me,kindly once again check my modified configuration,
I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem -
IS it possible to configure shell authorization when the privelege level is set to anything less than 15
What i am doing right now is configuring a level 15 access and restricting the commands through shell sets. When i try to assign any other privelege level it doesn't seem to work.
HTH
NarayanNarayan,
Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.
So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.
After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.
Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.
Hope this helps -
Hi,
I would like to know what are the configurations required in Cisco ACS for authorization.
I have done the foll configurations in the switch.
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
radius-server host 10.240.252.247
radius-server key greenland.123
Thanks.
Rgds.,
SackHi Narayan,
Sorry, I pasted the wrong configurations in the forum.Actual configurations in the device are as follows:
aaa authorization config-commands
aaa authorization exec default group radius local
radius-server host 10.240.252.247
radius-server key xxx
I would like to know what are the configurations required in the ACS server with respect to authorization as we are using radius.Do we need to add anything else apart from adding the client in ACS..?
Thanks.
Rgds.,
Sachin -
AAA Authorization with ACS Shell-Sets
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...) -
Authorization based on scheduling
I'm looking for a solution to help me schedule resources in our network lab. I want to require staff to schedule a resource, and then have ACS do authorization against whether or not a user has scheduled the resource. The peice I dont know about is the whole calendar/reservation piece.
I've seen this kind of scheduling for conference rooms in Exchange. I'm wondering if setting up a "conference room" type resource in Exchange would have users assigned to the resource for a particular time period in such a way that Cisco ACS could do authorization against the resource validating the username to validate login access for the resource. I'm not worried about forcing a logout at the end of the timeframe, the initial authorization would be sufficient.
Does anyone have the exposure to know if this approach could be made to work, or is there a better approach that I havent considered....I'm a bit new in this group. Thanks in advance.
PerHi Per,
What ACS are you using? what is the protocol?
you can try that with ACS 5.x
Hope that helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved.Do rate helpful posts. -
802.1x, 350AP, 3550 Switch, and ACS 3.0
Yikes!
Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
Confused? I am too, help!
ThanksNilesh, Thanks for the reply.
But I do have a few further questions if you are willing:
1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
Whew. -
Using ACS to deny show tech-support
I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?
Do you have these authorization commands configured?
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1 key cisco123
Debug aaa author should display:
AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'
AAA/AUTHOR/CMD (2846421758): send AV service=shell
AAA/AUTHOR/CMD (2846421758): send AV cmd=show
AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support
AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=
AAA/AUTHOR/CMD (2846421758): found list "default"
AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)
AAA/AUTHOR/TAC+: (2846421758): user=switchuser
AAA/AUTHOR/TAC+: (2846421758): send AV service=shell
AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show
AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support
AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=
TAC+: Using default tacacs server-group "tacacs+" list.
TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49
TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued
TAC+: (2846421758) AUTHOR/START processed
TAC+: (-1448545538): received author response status = FAIL
Make sure to modify the original ACS Shell Command Authorization...
deny tech-support instead of deny tech.
Maybe you are looking for
-
How can I get my PDFs to show up as anything but the Firefox html icon?
I need the old format where the contents of the first page of the PDF showed up as its icon instead of the Firefox icon. Now they all look alike, which really slows down my work production! I now have to read every title to find the PDF I want! Also,
-
Beginners guide - Library vs Time Machine vs Vault?
I am new to Aperture 2, and up until now have had a workflow system that's involved importing images and exporting them into folders, and have no idea what Apertures Library is or does? I am using it as a default setting at present. I have never used
-
Hi there I can't ad facebook on my iPhone 3 it's ascking for iso 4 can you help
Hi there I have problem ading apps to my iPhone 3gits asking for updating iso4 can you help me please thanks
-
hi my lazy buddy wanted me to do this for him well hes my nephew 1. Variable Naming Conventions. Explain whether each of the following is a valid variable name. a. number b. private c. 8ball d. firstname e. Last name f. #n
-
Full trash emptying, iPhoto '11
Hi! I have the issue with the trash of iPhoto '11. I have removed all photos from its trash and now it is showing me that trash contains 1 photo. I empty the trash one more time, but it is no effect. How can I force deleting 1 photo? iPhoto can not s