ACS VMS Authorization

(Also posted in network management)
We are running the latest version of ACS, VMS and Cisco Works. The problem that we are having is that we can authenticate off of the ACS server but when we try to edit anything on the VMS it states that we do not have the appropriate permissions to edit.
I have it set up for both users and the group to have System Admin rights in the ACS under the registered services. I can see in the ACS logs that the user authenticates using TACACS+ and logs into the service but then fails to get authorization to edit the settings. There is no error or failed authorization attempt in the failed attempts log on the ACS.
If I remove permissions by checking “none” in the user setup on the ACS in the failed attempts log it generates a:
“Author failed
service=idscfg authorize-device=172.30.xxx.xxx cmd*admin_modify”
“Author failed
service=idscfg authorize-device=172.30.xxx.xxx cmd*deployment_view cmd*deployment_deploy cmd*deployment_approve cmd*deployment_generate”
The TACACS+ Administration logs show:
reyxxxxx xxx users Login 1 idscfg
If I give them System Admin rights in the ACS I get the same TACACS+ administration log entry but NO entries in the Failed Attempts log. The VMS then say that the user does not have the appropriate permissions to edit the group. Would it not have the same Failed Attempt log entry if it was failing to get authorization from ACS?
Any advice?

The following link has more information on VMS database restoration.
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_3/winig2_3/qsch4.pdf

Similar Messages

  • Cisco ACS command authorization sets

    I need help on the following please.
    1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
    2. Does anyone know where I can read up on command authorizations sets for ACS ??
    3. What is the debug command for CatOS to see cli output ?
    Many thanks
    Rod

    Thanks for your info. I have solved my problem -
    1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
    This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
    Problem resolved.
    Many thanks.

  • ACS + Device Authorization Failure

    Good Afternoon:
    I hoping someone can help me out... I have an ACS configured with a group that is setup for admins. This group is mapped to an AD group. This is setup correctly. On each network device are the commands:
    aaa authorization exec default group tacacs+ if-authenticated
    I can create a local user and place them into the aformentioned group and the TACACs authentication and authorization work fine. However, I cannot use that same local group mapped to a AD group and a user in that group. It passes authentication but I get an authorization failure in my logs (ACS) and a authorization failed message on the device.
    Any ideas?
    Thanks!

    ACS has extensive logging capabilities that allow an administrator to troubleshoot any issue pertaining to the ACS server itself (for example, replication) or an AAA request problem (for example, an authentication problem) from NAS.
    Refer the following url for more info on troubleshooting ACS:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html

  • ACS command authorization - deny CatOS "set" commands

    Cisco Secure ACS 4.2
    I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
    I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
    How do I go about setting this group up to deny set-based commands for the CatOS devices?

    Hi
    CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
    However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
    Hope that makes sense!

  • Acs vpn authorization

    I'm trying to authorize users on a vpn against MS active directory through an ACS. I can get RADIUS authentication to work, but I need to be able to limit access based on user, and so far all I'm getting is just authentication. Is there a way to map a vpn 3000 group to an ACS group?

    The Cisco VPN 3000 Concentrator has the ability to lock users into a Concentrator group which overrides the group the user has configured in the Cisco VPN 3000 Client. In this way, access restrictions can be applied to various groups configured on the VPN Concentrator with the assurance that the users are locked into that group with the RADIUS server.
    For configuration section refer to the following link:
    http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

  • ACS command authorization report in conf t mode

    Hi, this is probably a quick one, but I couldnt find a solution so far.
    We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
    aaa new-model
    aaa authentication attempts login 5
    aaa authentication login default group tacacs+ local line enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local 
    aaa authorization commands 1 default group tacacs+ local 
    aaa authorization commands 15 default group tacacs+ local 
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    My guess is that I allow all commands with that and thus no authorization is needed. 
    Any idea?
    Thanks
    Chris

  • Problem - acs command authorization and web access control

    Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

    It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
    and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
    configure
    permit terminal
    exit
    permit Unmatched Args
    interface
    permit Dot11Radio0
    no
    permit shutdown
    permit cca
    ping
    permit Unmatched Args
    show
    permit Unmatched Args
    shutdown
    permit Unmatched Args
    telnet
    permit Unmatched Args
    write
    permit memory quiet
    Thanks for the help !

  • ACS - ASA Authorization and Accounting

    Hi
    I have some questions regarding authorization and accounting on ASA via ACS server
    when I enable the command "aaa authorization       command " to control SSH users commands  I get locked out on       console then i have to configure the console , telnet , and enable to be       authenticated via tacacs too , is there any way to authorize SSH via       tacacs while keeping Console and telnet authenticated locally or even no       authentication ?
    i issued  accounting command "aaa accounting       command TAC" on ASA but i noticed that the ACS just logs commands in       configuration mod "privilege 15 " not any show command or       privilege 1 , is there any way to fix this ?
    does RADIUS support SHELL authorization ?
    thanks for your support

    1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
    2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
    http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
    Regards,
    Jatin
    Do rate helpful posts-

  • ACS command Authorization on PIX Console

    I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
    aaa-server TACACS+ (inside) host 172.28.x. xx
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication serial console LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authorization command TACACS+
    aaa accounting command privilege 15 TACACS+
    aaa accounting enable console TACACS+
    but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
    ACS down, i wana to get console and access the device by using local username and password
    but now after this configuration when i try to access the firewall via console, i m getting error of
    command authorization fail.
    I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
    I have made the command authorization set in ACS and it is working fine for me,

    kindly once again check my modified configuration,
    I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
    aa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (edn) host 172.28.31.132
    aaa-server TACACS+ (edn) host 172.28.31.133
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication serial console LOCAL
    aaa authentication http console LOCAL
    aaa authorization command TACACS+ LOCAL
    aaa accounting command privilege 15 TACACS+
    aaa accounting enable console TACACS+
    but i m not able to login i m getting following eror
    Command authorization failed
    TDC-INT-525-01> exit
    Command authorization failed
    TDC-INT-525-01> exit
    Command authorization failed
    TDC-INT-525-01> enable
    Command authorization failed
    i also defined the local command authorization set like this
    privilege cmd level 15 mode exec command exit
    privilege show level 5 mode exec command running-config
    privilege show level 15 mode exec command version
    privilege show level 0 mode exec command access-list
    privilege show level 0 mode configure command access-list
    privilege cmd level 15 mode configure command exit
    privilege cmd level 15 mode configure command no
    privilege cmd level 0 mode configure command access-list
    privilege cmd level 15 mode interface command exit
    privilege cmd level 15 mode subinterface command exit
    privilege cmd level 15 mode dynupd-method command exit
    privilege cmd level 15 mode trange command exit
    privilege cmd level 15 mode route-map command exit
    privilege cmd level 15 mode router command exit
    privilege cmd level 15 mode ldap command exit
    privilege cmd level 15 mode aaa-server-host command exit
    privilege cmd level 15 mode aaa-server-group command exit
    privilege cmd level 15 mode context command exit
    privilege cmd level 15 mode group-policy command exit
    privilege cmd level 15 mode username command exit
    privilege cmd level 15 mode tunnel-group-general command exit
    privilege cmd level 15 mode tunnel-group-ipsec command exit
    privilege cmd level 15 mode tunnel-group-ppp command exit
    privilege cmd level 15 mode mpf-class-map command exit
    privilege cmd level 15 mode mpf-policy-map command exit
    privilege cmd level 15 mode mpf-policy-map-class command exit
    privilege cmd level 15 mode mpf-policy-map-class command exit
    privilege cmd level 15 mode mpf-policy-map-param command exit
    Please tell me how to solve this problem

  • ACS shell authorization

    IS it possible to configure shell authorization when the privelege level is set to anything less than 15
    What i am doing right now is configuring a level 15 access and restricting the commands through shell sets. When i try to assign any other privelege level it doesn't seem to work.
    HTH
    Narayan

    Narayan,
    Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.
    So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.
    After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.
    Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.
    Hope this helps

  • ACS authorization query

    Hi,
    I would like to know what are the configurations required in Cisco ACS for authorization.
    I have done the foll configurations in the switch.
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    radius-server host 10.240.252.247
    radius-server key greenland.123
    Thanks.
    Rgds.,
    Sack

    Hi Narayan,
    Sorry, I pasted the wrong configurations in the forum.Actual configurations in the device are as follows:
    aaa authorization config-commands
    aaa authorization exec default group radius local
    radius-server host 10.240.252.247
    radius-server key xxx
    I would like to know what are the configurations required in the ACS server with respect to authorization as we are using radius.Do we need to add anything else apart from adding the client in ACS..?
    Thanks.
    Rgds.,
    Sachin

  • AAA Authorization with ACS Shell-Sets

    Hi all,
    I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
    I am having trouble getting AAA Authorization to work correctly with ACS.
    I am able to set the users up on ACS fine and assign them shell and priv level 7.
    I then setup a Shell Auth Set, and enter in the commands show and configure.
    When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
    to access global config mode by typing in conf (or configure) terminal or t.
    If I type con? the only command there is connect, configure is never an option...
    The only way I can get this to work is by entering the command:
    privilege exec level 7 configure terminal
    I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
    This is most frustrating
    The ACS Server is set up with a Shell Command Authorization Set named Level_7
    It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
    The "Permit Unmatched Args" is also selected.
    See an excerpt of my IOS config below:
    aaa new-model
    aaa group server tacacs+ ACS
    server 10.90.0.11
    aaa authentication login default group ACS local
    aaa authorization exec default group ACS
    aaa authorization commands 7 default group ACS local
    tacacs-server host 10.90.0.11 key cisco
    privilege exec level 7 configure terminal
    privilege exec level 7 configure
    privilege exec level 7 show running-config
    privilege exec level 7 show
    Hope you can help me with this one..
    P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

    Hi,
    So here it is,
    You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
    Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
    This is what I suggest the commands back to normal level.
    Below provided are steps to configure shell command authorization:
    Follow the following steps over the router:
    !--- is the desired username
    !--- is the desired password
    !--- we create a local username and password
    !--- in case we are not able to get authenticated via
    !--- our tacacs+ server. To provide a back door.
    username password privilege 15
    !--- To apply aaa model over the router
    aaa new-model
    !--- Following command is to specify our ACS
    !--- server location, where is the
    !--- ip-address of the ACS server. And
    !--- is the key that should be same over the ACS and the router.
    tacacs-server host key
    !--- To get users authentication via ACS, when they try to log-in
    !--- If our router is unable to contact to ACS, then we will use
    !--- our local username & password that we created above. This
    !--- prevents us from locking out.
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    !--- Following commands are for accounting the user's activity,
    !--- when user is logged into the device.
    aaa accounting exec default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    Configuration on ACS
    [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
    Provide any name to the set.
    provide the sufficent description (if required)
    (a) For Full Access administrative set.
    In Unmatched Commands, select 'Permit'
    (b) For Limited Access set.
    In Unmatched commands, select 'Deny'.
    And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
    For example: If we want user to be only able to access the following commads:
    login
    logout
    exit
    enable
    disable
    show
    Then the configuration should be:
    ------------------------Permit unmatched Args--
    login permit
    logout permit
    exit permit
    enable permit
    disable permit
    configure permit terminal
    interface permit ethernet
    permit 0
    show permit running-config
    in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
    [2] Press 'Submit'.
    [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
    (cont...)

  • Authorization based on scheduling

    I'm looking for a solution to help me schedule resources in our network lab.  I want to require staff to schedule a resource, and then have ACS do authorization against whether or not a user has scheduled the resource.  The peice I dont know about is the whole calendar/reservation piece.
    I've seen this kind of scheduling for conference rooms in Exchange.  I'm wondering if setting up a "conference room" type resource in Exchange would have users assigned to the resource for a particular time period in such a way that Cisco ACS could do authorization against the resource validating the username to validate login access for the resource.  I'm not worried about forcing a logout at the end of the timeframe, the initial authorization would be sufficient.
    Does anyone have the exposure to know if this approach could be made to work, or is there a better approach that I havent considered....I'm a bit new in this group.  Thanks in advance.
    Per

    Hi Per,
    What ACS are you using? what is the protocol?
    you can try that with ACS 5.x
    Hope that helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved.Do rate helpful posts.

  • 802.1x, 350AP, 3550 Switch, and ACS 3.0

    Yikes!
    Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
    1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
    2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
    Confused? I am too, help!
    Thanks

    Nilesh, Thanks for the reply.
    But I do have a few further questions if you are willing:
    1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
    2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
    I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
    1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
    Whew.

  • Using ACS to deny show tech-support

    I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?

    Do you have these authorization commands configured?
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    tacacs-server host 10.1.1.1 key cisco123
    Debug aaa author should display:
    AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'
    AAA/AUTHOR/CMD (2846421758): send AV service=shell
    AAA/AUTHOR/CMD (2846421758): send AV cmd=show
    AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support
    AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=
    AAA/AUTHOR/CMD (2846421758): found list "default"
    AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)
    AAA/AUTHOR/TAC+: (2846421758): user=switchuser
    AAA/AUTHOR/TAC+: (2846421758): send AV service=shell
    AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show
    AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support
    AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=
    TAC+: Using default tacacs server-group "tacacs+" list.
    TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
    TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49
    TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued
    TAC+: (2846421758) AUTHOR/START processed
    TAC+: (-1448545538): received author response status = FAIL
    Make sure to modify the original ACS Shell Command Authorization...
    deny tech-support instead of deny tech.

Maybe you are looking for

  • How can I get my PDFs to show up as anything but the Firefox html icon?

    I need the old format where the contents of the first page of the PDF showed up as its icon instead of the Firefox icon. Now they all look alike, which really slows down my work production! I now have to read every title to find the PDF I want! Also,

  • Beginners guide - Library vs Time Machine vs Vault?

    I am new to Aperture 2, and up until now have had a workflow system that's involved importing images and exporting them into folders, and have no idea what Apertures Library is or does? I am using it as a default setting at present. I have never used

  • Hi there I can't ad facebook on my iPhone 3 it's ascking for iso 4 can you help

    Hi there I have problem ading apps to my iPhone 3gits asking for updating iso4 can you help me please thanks

  • Not a computer programer

    hi my lazy buddy wanted me to do this for him well hes my nephew 1.     Variable Naming Conventions. Explain whether each of the following is a valid variable name. a.     number b.     private c.     8ball d.     firstname e.     Last name f.     #n

  • Full trash emptying, iPhoto '11

    Hi! I have the issue with the trash of iPhoto '11. I have removed all photos from its trash and now it is showing me that trash contains 1 photo. I empty the trash one more time, but it is no effect. How can I force deleting 1 photo? iPhoto can not s