Cisco 4.2 radius command authorization

Similar Messages

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• Cisco ACS command authorization sets

  I need help on the following please.
  1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
  2. Does anyone know where I can read up on command authorizations sets for ACS ??
  3. What is the debug command for CatOS to see cli output ?
  Many thanks
  Rod

  Thanks for your info. I have solved my problem -
  1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
  This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
  Problem resolved.
  Many thanks.

• AAA command authorization in ACE

  How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
  Kind regards
  Ullas

  Hi,
  See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
  "The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
  There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
  HTH
  Cathy

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Command authorization issue.

  Hello.
  I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
  The shell command set that I'm using is a "permit unmatched commands".
  Any idea?
  Thanks.
  Andrea

  What you're experiencing is a known defect:
  CSCtg38468    cat4k/IOS: banner exec failed with blank characters
  Symptom:
  %PARSE_RC-4-PRC_NON_COMPLIANCE:
  The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
  Conditions:
  Problem happens, when AAA authorization is used together with TACACS+
  Workaround:
  Make sure there is no blank character at the begining of line in the banner message.
  Problem Details: trying to configure banner exec with blank character at beginning of line failed.
  This happens when configuring the banner exec via telnet/ssh !
  When configuring the same banner exec via console-port, everything is fine.
  Note the blank characters at beginning of each line. When removing those, banner exec works fine.
  Again, this was working till IOS version 12.2(46)SG.
  Beginning with 12.2(50)SG1 and up, the behaviour has changed.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• Looking for info on "test wlan dot1x radius" command

  Is there a way to perform RADIUS connectivity and optionally basic auth testing, without a client?
  I see the "test wlan dot1x radius" command in the CLI which looks promising, but I can't find any info on it. 
  The "test ..." commands aren't in the Command Reference (?!)
  Can anyone provide any info on how the above command works (if at all)
  Thanks in advance

  For testing radius, I use NTRadPing. Might be a better option for you.
  http://www.novell.com/coolsolutions/tools/14377.html
  Sent from Cisco Technical Support iPhone App

• ACS command authorization - deny CatOS "set" commands

  Cisco Secure ACS 4.2
  I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
  I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
  How do I go about setting this group up to deny set-based commands for the CatOS devices?

  Hi
  CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
  However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
  Hope that makes sense!

• IOS XR Command authorization with ACS server

  We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
  In ACS, we have two groups: Group 1 and Group 2
  Group 1 allows full access in the shell command authorization set.
  Group 2 allows limited access in the shell command set (basically just show commands).
  Both groups can login fine (aaa authentication login default group <groupname> local)
  Group 1 has full access to everything (group I am in). 
  Group 2 has NO access to anything (can't even perform show commands).
  Group 2 CAN access other IOS devices and can perform the various show commands.
  With regards to our authorization commands, we currently have it configured as:
  aaa authorization commands default group <groupname> local
  Why is it working for the one group, but not the other?  I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with.  I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
  Thanks!
  Kyle

  dont have enough info to give you a full conclusive answer Kyle, but some suspicions.
  Task group not set right?
  Command groups not defined properly in tacacs for command author.
  if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
  More info here:
  https://supportforums.cisco.com/docs/DOC-15944
  xander

• Command Authorization and the CSS

  HI,
  is it possible to do command authorization via usernames witha CSS. I want to implement something similar to the command authorization of an IOS device.
  Is there any refrence on the CCO how to setup the ACS and the CSS?
  Any hint or help is appreciated.
  Kind Regards,
  Joerg

  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080192ef2.html#wp1077431
  The ACS setup would be the same as for ios I believe.
  Gilles.

• Command authorization on ASA

  Hi,
  Can anyone confirm that command authorization works as advertised on the ASA platform? i.e. is anyone doing this successfully at the moment?
  We've no problems with authentication, accounting, NAR's, etc - just the authorization set's.
  thanks,
  Andrew.

  Hi andrew.burns,
  Command authorization should work on ASA. Please review
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1042034
  btw - what version of ASA are you using? Also, are you using shared profile components?
  Hope this helps!

• Shell Command Authorization Sets ACS

  hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  but still all my user  can use all the commands
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R3
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login milista group tacacs+ local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa session-id common
  memory-size iomem 5
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  multilink bundle-name authenticated
  username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
  archive
  log config
  hidekeys
  interface FastEthernet0/0
  ip address 192.168.20.1 255.255.255.0
  duplex auto
  speed auto
  interface Serial0/0
  no ip address
  shutdown
  clock rate 2000000
  interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial0/1
  ip address 20.20.20.2 255.255.255.252
  clock rate 2000000
  interface Serial0/2
  no ip address
  shutdown
  clock rate 2000000
  interface Serial0/3
  no ip address
  shutdown
  clock rate 2000000
  router eigrp 1
  network 20.0.0.0
  network 192.168.20.0
  no auto-summary
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  tacacs-server host 192.168.20.2 key cisco
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  login authentication milista
  line aux 0
  line vty 0 4
  end
  i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
  heres my share profile
  name-------------admin jr
  Description---------for jr admin
  unmatched commands------- ()permit  (x)deny
  permint unmatched args()
  enable
  show -------------------------- permit version<cr>
  permit runnig-config<cr>
  then i add this profifle to group 2 and then i add my user to the group 2
  then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
  can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth