Cisco 4.2 radius command authorization

Hi,
I am trying to do command authorization in radius. I have searched but i couldnt get any luck.
Is it possible to do this? if any yes can anyone tell me the steps. i would be great.
Thanks,

IOS does support command authorization, however, only with TACACS (updated by paul)
very Nice configuration example on command authorization with tacacs
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
Rgds, Jatin
Do rate helpful posts~

Similar Messages

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • Cisco ACS command authorization sets

    I need help on the following please.
    1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
    2. Does anyone know where I can read up on command authorizations sets for ACS ??
    3. What is the debug command for CatOS to see cli output ?
    Many thanks
    Rod

    Thanks for your info. I have solved my problem -
    1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
    This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
    Problem resolved.
    Many thanks.

  • AAA command authorization in ACE

    How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
    Kind regards
    Ullas

    Hi,
    See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
    "The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
    There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
    HTH
    Cathy

  • Cisco ISE some Radius issues

    Dear guys,
         I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
    No Accounting Start. (I have configured accouting on Switch 2960).
    Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
    I would greatly appreciate any help you can give me in working this problem.
    Have a nice day,
    Thanks and Regrads,

    Sorry for late reply.
    Here is my switch config.
    Current configuration : 8630 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Switch
    boot-start-marker
    boot-end-marker
    no logging console
    enable password ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting delay-start all
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa server radius dynamic-author
     client A.B.C.D server-key keystrings
    aaa session-id common
    system mtu routing 1500
    vtp mode transparent
    ip dhcp snooping
    ip device tracking
    crypto pki trustpoint TP-self-signed-447922560
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-447922560
     revocation-check none
     rsakeypair TP-self-signed-447922560
    crypto pki certificate chain TP-self-signed-447922560
     certificate self-signed 01
      xxxxx
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 139,153,401-402,999,1501-1502
    interface FastEthernet0/11
     switchport access vlan 139
     switchport mode access
     authentication host-mode multi-auth
     authentication open
     authentication port-control auto
     authentication periodic
     authentication timer inactivity 180
     authentication violation restrict
     mab
    interface FastEthernet0/12
     switchport access vlan 139
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action authorize vlan 139
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication timer inactivity 180
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
    interface GigabitEthernet0/1
     switchport mode trunk
    interface GigabitEthernet0/2
    interface Vlan1
     no ip address
    interface Vlan139
     ip address E.F.G.H 255.255.255.0
    ip default-gateway I.J.K.L
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     permit ip any any
    ip access-list extended ACL-DEFAULT
     remark Allow DHCP
     permit udp any eq bootpc any eq bootps
     remark Allow DNS
     permit udp any any eq domain
     permit icmp any any
     permit tcp any host A.B.C.D eq 8443
     permit tcp any host A.B.C.D eq 443
     permit tcp any host A.B.C.D eq www
     permit tcp any host A.B.C.D eq 8905
     permit tcp any host A.B.C.D eq 8909
     permit udp any host A.B.C.D eq 8905
     permit udp any host A.B.C.D eq 8909
     deny   ip any any
    ip access-list extended ACL-WEBAUTH-REDIRECT
     permit tcp any any eq www
     permit tcp any any eq 443
     deny   ip any any
    ip radius source-interface Vlan139
    snmp-server community keystrings RW
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host A.B.C.D version 2c keystrings  mac-notification
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
    line vty 5 15
    end
    My switch version is
    WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
    I would greatly appreciate any help you can give me in working this problem.

  • Command Authorization Config best practice using ACS

    Hi
    Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
    Regards
    V Vinodh.

    Vinodh,
    The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
    Please check this link,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Command authorization issue.

    Hello.
    I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
    The shell command set that I'm using is a "permit unmatched commands".
    Any idea?
    Thanks.
    Andrea

    What you're experiencing is a known defect:
    CSCtg38468    cat4k/IOS: banner exec failed with blank characters
    Symptom:
    %PARSE_RC-4-PRC_NON_COMPLIANCE:
    The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
    Conditions:
    Problem happens, when AAA authorization is used together with TACACS+
    Workaround:
    Make sure there is no blank character at the begining of line in the banner message.
    Problem Details: trying to configure banner exec with blank character at beginning of line failed.
    This happens when configuring the banner exec via telnet/ssh !
    When configuring the same banner exec via console-port, everything is fine.
    Note the blank characters at beginning of each line. When removing those, banner exec works fine.
    Again, this was working till IOS version 12.2(46)SG.
    Beginning with 12.2(50)SG1 and up, the behaviour has changed.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Nexus, command authorization using TACACS.

    Hello.
    Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
    Thanks.
    Regards.
    Andrea

    Hi Andrea,
    We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
    username admin password role network-admin ; local admin user
    feature tacacs+ ; enable the tacacs feature
    tacacs-server host key ; define key for tacacs server
    aaa group server tacacs+ tacacs ; create group called 'tacacs'
        server ;define tacacs server IP
        use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
        source-interface mgmt0 ; ...and send them from the mgmt interface
    aaa authentication login default group tacacs ; use tacacs for login auth
    aaa authentication login console group tacacs  ; use tacacs for console login auth
    aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
    aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
    aaa accounting default group tacacs ; send accounting records to tacacs
    Hope that works for you!
    (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
    Rob...

  • Looking for info on "test wlan dot1x radius" command

    Is there a way to perform RADIUS connectivity and optionally basic auth testing, without a client?
    I see the "test wlan dot1x radius" command in the CLI which looks promising, but I can't find any info on it. 
    The "test ..." commands aren't in the Command Reference (?!)
    Can anyone provide any info on how the above command works (if at all)
    Thanks in advance

    For testing radius, I use NTRadPing. Might be a better option for you.
    http://www.novell.com/coolsolutions/tools/14377.html
    Sent from Cisco Technical Support iPhone App

  • ACS command authorization - deny CatOS "set" commands

    Cisco Secure ACS 4.2
    I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
    I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
    How do I go about setting this group up to deny set-based commands for the CatOS devices?

    Hi
    CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
    However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
    Hope that makes sense!

  • IOS XR Command authorization with ACS server

    We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
    In ACS, we have two groups: Group 1 and Group 2
    Group 1 allows full access in the shell command authorization set.
    Group 2 allows limited access in the shell command set (basically just show commands).
    Both groups can login fine (aaa authentication login default group <groupname> local)
    Group 1 has full access to everything (group I am in). 
    Group 2 has NO access to anything (can't even perform show commands).
    Group 2 CAN access other IOS devices and can perform the various show commands.
    With regards to our authorization commands, we currently have it configured as:
    aaa authorization commands default group <groupname> local
    Why is it working for the one group, but not the other?  I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with.  I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
    Thanks!
    Kyle

    dont have enough info to give you a full conclusive answer Kyle, but some suspicions.
    Task group not set right?
    Command groups not defined properly in tacacs for command author.
    if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
    More info here:
    https://supportforums.cisco.com/docs/DOC-15944
    xander

  • Command Authorization and the CSS

    HI,
    is it possible to do command authorization via usernames witha CSS. I want to implement something similar to the command authorization of an IOS device.
    Is there any refrence on the CCO how to setup the ACS and the CSS?
    Any hint or help is appreciated.
    Kind Regards,
    Joerg

    http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080192ef2.html#wp1077431
    The ACS setup would be the same as for ios I believe.
    Gilles.

  • Command authorization on ASA

    Hi,
    Can anyone confirm that command authorization works as advertised on the ASA platform? i.e. is anyone doing this successfully at the moment?
    We've no problems with authentication, accounting, NAR's, etc - just the authorization set's.
    thanks,
    Andrew.

    Hi andrew.burns,
    Command authorization should work on ASA. Please review
    Configuring Command Authorization
    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1042034
    btw - what version of ASA are you using? Also, are you using shared profile components?
    Hope this helps!

  • Shell Command Authorization Sets ACS

    hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    but still all my user  can use all the commands
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R3
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login milista group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    multilink bundle-name authenticated
    username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
    archive
    log config
    hidekeys
    interface FastEthernet0/0
    ip address 192.168.20.1 255.255.255.0
    duplex auto
    speed auto
    interface Serial0/0
    no ip address
    shutdown
    clock rate 2000000
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface Serial0/1
    ip address 20.20.20.2 255.255.255.252
    clock rate 2000000
    interface Serial0/2
    no ip address
    shutdown
    clock rate 2000000
    interface Serial0/3
    no ip address
    shutdown
    clock rate 2000000
    router eigrp 1
    network 20.0.0.0
    network 192.168.20.0
    no auto-summary
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    tacacs-server host 192.168.20.2 key cisco
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    login authentication milista
    line aux 0
    line vty 0 4
    end
    i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
    heres my share profile
    name-------------admin jr
    Description---------for jr admin
    unmatched commands------- ()permit  (x)deny
    permint unmatched args()
    enable
    show -------------------------- permit version<cr>
    permit runnig-config<cr>
    then i add this profifle to group 2 and then i add my user to the group 2
    then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
    can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • ACS Shell Command Authorization Set + restricted Access

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi  ,
    I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
    Thanks in Advance
    Regards
    Vineeth

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi Jatin ,
    first of all Thank you very much . It startted working after aaa authorization config-commands
    here I was trying to achive one  specfic  thing .
    I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
    But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
    Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
    Thanks and Regards
    Vineeth

Maybe you are looking for