Asa cmd authorization using acs

Similar Messages

• Using ACS with PIX/ASA

  Hi there,
  We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
  We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
  Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
  aaa-server XXXXX protocol tacacs+
  accounting-mode simultaneous
  reactivation-mode depletion deadtime 1
  max-failed-attempts 1
  aaa-server XXXXX inside host <SERVER>
  key <SECRET>
  timeout 5
  aaa authentication telnet console XXXXX LOCAL
  aaa authentication enable console XXXXX LOCAL
  aaa authentication ssh console XXXXX LOCAL
  aaa authentication http console XXXXX LOCAL
  aaa authentication serial console XXXXX LOCAL
  aaa accounting command XXXXX
  aaa accounting telnet console XXXXX
  aaa accounting ssh console XXXXX
  aaa accounting enable console XXXXX
  aaa accounting serial console XXXXX
  aaa authorization command XXXXX LOCAL
  Problems:
  Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
  Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
  PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
  1st Attempt = Server 1
  2nd Attempt = Server 2
  3rd Attempt = Server 3
  4th Attempt = Server 4
  This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
  With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
  “WARNING: Fallback authentication is configured, but reactivation mode is set to
  timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
  mechanism.”
  The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
  The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
  As RSA SecurID token can only be used once this fails and locks the account.
  Any ideas on how to make two of Ciscos leading security products work together better?

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• Using ACS for command authorization

  I've setup my ASA for this and it works as it should, the restricted user can only run the commands I put into the command set in ACS.
  However this is fine on telnet/SSH but when using ASDM the restricted account has level 15 access and is able to change things.
  Can you use ACS to give a view only account on an ASA when using ASDM?

  thanks for the reply, I actually resolved it by watching the logs and seeing what ASDM needed, in the end had to add permit to the session command and also permit write net
  this worked and gives the restricted user view only access to the config etc and also view only in ASDM.

• AAA IOS HTTS Cmd Authorization

  On my ACS SE 4.2 setup I have CMD Authorization set up and it works nice, Service Desk type cmds: show, clear, telnet, traceroute, exit and then another group with full access (all cmds permitted). both user groups have Priv. Levels = 15.
  However, (there is always one) with SDM access via HTTPS it appears that all you need is Priv. Level 15 to run SDM and make any configuration changes.
  With my current setup, a user in the NetDevOper group when Telnet'ed or SSH'ed has access to a few commands, i.e. clear crypto sessions.
  If I change this group from Priv Level 15 to, say 14, then I will have to 'Demote' the Clear command to Priv Level 14 on each device so this group can do simple clear commands.
  My other choice is to disable HTTP access altogether, which is what I am leaning towards.
  Is there another option available?

  Hi JG,
  Thanks for your reply.
  Do you know if there is a way to limit user access via HTTP(S) (SDM) so my Service Desk can use it, but cannot make configuration changes?
  It appears to me that the IOS code for HTTP(S) (SDM) access is only checking to see if the user has Priv Level=15 and there is no other varibles being check.
  If true, I will just disable HTTP(S) SDM access to the routers.
  Thanks
  Charlie

• TACACS+ command authorization and ACS "Quirk"(?)

  Hi All,
  I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
  For the example, i'll use Vlan 101, which is one of my server networks.
  My Command set says:
  Command: switchport
  Arguements: permit access, permit vlan, deny 101
  Permit Unmatched Args is UNCHECKED.
  When I debug the aaa authorization, i see this:
  146425: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
  146426: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
  146427: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
  146428: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
  146429: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
  146430: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
  146431: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
  146432: Mar  8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
  I know I have the correct command set applied, because it blocks me appropriately for other commands.
  146451: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
  146452: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
  146453: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
  146454: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
  146455: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
  146456: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
  146457: Mar  8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
  Any thoughts why it's not working as expected?

  Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
  ip tacacs source-interface gi 0/0
  tacacs-server directed-request
  tacacs-server key
  tacacs-server host x.x.x.x
  aaa new-model
  aaa authentic login default group tacacs+ local
  aaa authentic login no-tacacs none
  aaa authentic enable default group tacacs+ enable
  aaa author config-commands
  aaa author exec default if-authenticated
  aaa author commands 1 default if-authenticated
  aaa author commands 15 default group tacacs+ local
  aaa author console
  aaa account exec default start-stop group tacacs+
  aaa account commands 0 default start-stop group tacacs+
  aaa account commands 1 default start-stop group tacacs+
  aaa account commands 15 default start-stop group tacacs+
  aaa account connection default start-stop group tacacs+
  aaa account system default start-stop group tacacs+
  aaa session-id common

• Configuring AAA Authorization on ACS 4.1

  Hi,
  Can anybody provide me links to any good documentation on how to configure AAA Authorization using Command Shell on the ACS 4.1 ? I would be really grateful if someone one can point me few links.
  Thanks,
  Meet

  Hi
  I would try looking at this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml
  This describes how to plan, design and build shell cmd auth config in ACS.
  Darran

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• AAA Authorization Using Local Database

  Hi Guys,
  I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
  FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

  For allowing limited read only access , use this example,
  We need these commands on the switch
  Switch(config)#do sh run | in priv
  username admin privilege 15 password 0 cisco123!
  username test privilege 0 password 0 cisco
  privilege exec level 0 show ip interface brief
  privilege exec level 0 show ip interface
  privilege exec level 0 show interface
  privilege exec level 0 show switch
  No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
  User Access Verification
  Username: test
  Password:
  Switch>show ?
  diagnostic Show command for diagnostic
  flash1: display information about flash1: file system
  flash: display information about flash: file system
  interfaces Interface status and configuration
  ip IP information
  switch show information about the stack ring
  Switch>show switch
  Switch/Stack Mac Address : 0015.f9c1.ca80
  H/W Current
  Switch# Role Mac Address Priority Version State
  *1 Master 0015.f9c1.ca80 1 0 Ready
  Switch>show run
  ^
  % Invalid input detected at '^' marker.
  Switch>show aaa server
  ^
  % Invalid input detected at '^' marker.
  Switch>show inter
  Switch>show interfaces
  Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
  Internet address is 192.168.26.3/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Switch>
  Please check this link,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Authorization in ACS 5.2

  In ACS 5.2, when i add custom a shell profile to a rule in an authorization policy (used in a TACAS access service) it seems to be skipped.
  I can see the rule is hit because the hitcount number increases (it hits because of the group id), and when i set the shell profile to deny access (as test), access is actually rejected. So i know the rule is hit, but anything i put in my custom shell profile at the common tasks tab (like an auto command or default/maximum privilege level) is not used.
  The same goes for commands sets. When i add the set 'deny all commands' the user is still able to exceute all commands, although the rule is hit based on the group ID the user belongs to.
  I must be doing something wrong, but i can't find my mistake.

  @ Edward; Same here, no authorization logging.
  @ Nicolas; thanks for picking this up.
  First of all, these are my AAA lines in the test 2901, running IOS 15.0.
  aaa authentication login ACS-TAC group tacacs+ local
  aaa authorization exec ACS-TAC group tacacs+ local
  aaa authorization commands 0 ACS-TAC group tacacs+ local
  aaa authorization commands 1 ACS-TAC group tacacs+ local
  aaa authorization commands 15 ACS-TAC group tacacs+ local
  I created a new Access service, of which the Identity part is working fine.
  These rules are in the authorization policy:
  This is rule1:
  This is the Shell profile, just for test:
  The command set is easy, denyallcommands. I want to add a specific command set for our service desk, but not before i can get it to work.
  When i change the Shell profile of rule1 to DenyAccess i am not able to logon with the service desk account, so it looks like the authorization rule is actually used.

• Shell Command Authorization Sets ACS

  hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  but still all my user  can use all the commands
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R3
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login milista group tacacs+ local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa session-id common
  memory-size iomem 5
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  multilink bundle-name authenticated
  username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
  archive
  log config
  hidekeys
  interface FastEthernet0/0
  ip address 192.168.20.1 255.255.255.0
  duplex auto
  speed auto
  interface Serial0/0
  no ip address
  shutdown
  clock rate 2000000
  interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial0/1
  ip address 20.20.20.2 255.255.255.252
  clock rate 2000000
  interface Serial0/2
  no ip address
  shutdown
  clock rate 2000000
  interface Serial0/3
  no ip address
  shutdown
  clock rate 2000000
  router eigrp 1
  network 20.0.0.0
  network 192.168.20.0
  no auto-summary
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  tacacs-server host 192.168.20.2 key cisco
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  login authentication milista
  line aux 0
  line vty 0 4
  end
  i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
  heres my share profile
  name-------------admin jr
  Description---------for jr admin
  unmatched commands------- ()permit  (x)deny
  permint unmatched args()
  enable
  show -------------------------- permit version<cr>
  permit runnig-config<cr>
  then i add this profifle to group 2 and then i add my user to the group 2
  then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
  can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• Shell Command(session) Authorization in ACS 4.2

  Hi, All~
  Our customer is using ACS 4.2.
  They would like to restriction shell command(session) in ACS 4.2.
  For examples,
  MSFC => 'session slot [slot #] processor [processor #]' => Command authorization failed.
  Is this possible to deny for shell 'session' command?
  Have a nice weekend.
  Thanks.
  Bruce Lee

  Bruce:
  If you are running Cisco IOS then yes it is possible.
  AFAIK the MSFC runs on 5600  hardware and that runs IOS so I think it is possible for you
  look into this example
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  please rate if useful and let us know if you got any problem with the configuration.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Command Authorization on ACS

  Hi Guys,
  its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
  So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
  please help me on this.
  Thanks

  Hi ,
  The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
  Pix command,
  username Test password cisco
  username Test privilege 15
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
  Regards,
  ~JG
  Please rate if that helps !

• Command authorization failed ACS 5.6

  I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
  I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
  The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
  The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
  Here are the AAA settings on the switch
  aaa authentication login listASH group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec listASH group tacacs+ local
  aaa authorization commands 0 default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  tacacs-server host 10.1.2.212
  tacacs-server timeout 3
  tacacs-server directed-request
  tacacs-server key <key>
  line vty 0 4
  access-class vty-access in
  logging synchronous level all
  login authentication listASH
  transport input ssh
  Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.

  Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?
  debug aaa authentication
  debug aaa authorization
  debug tacacs authorization
  Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.
  Thank you for rating helpful posts!

• Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

  I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
  1. Background:
  We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
  2. Problem:
  If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
  3. Potential solution and its limitation:
  1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
  2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
  Thanks for any suggestions!

  I think the documentation for ACS states:
  ACS can only support group mapping for users who belong to 500 or fewer Windows groups
  I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.