Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

Similar Messages

• ACS Shell Command Authorizations Set

  I have Cisco ACS Server V4.0
  In the shell Command Authorization Set I configure a restrict Access.
  In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
  Why This?

  I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

• ACS - Shell Command Authorization Sets

  Hi,
  I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
  Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
  permit port-security
  permit mac address-table'
  I've also ticked 'Permit unmatched args'
  At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
  Test Timed out for service: CSAdmin
  Test Timed out for service: CSAuth
  Test Timed out for service: CSDbSync
  Test Timed out for service: CSLog
  I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
  Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
  Thanks!!
  Steve

  Thanks for your reply!
  there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
  I am using ACS v 4.1.
  While I receive the service messages and also when they go away - I always have the authorisation problem.
  Thanks
  Steve

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• Shell Command Authorization Sets ACS

  hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  but still all my user  can use all the commands
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R3
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login milista group tacacs+ local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa session-id common
  memory-size iomem 5
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  multilink bundle-name authenticated
  username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
  archive
  log config
  hidekeys
  interface FastEthernet0/0
  ip address 192.168.20.1 255.255.255.0
  duplex auto
  speed auto
  interface Serial0/0
  no ip address
  shutdown
  clock rate 2000000
  interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial0/1
  ip address 20.20.20.2 255.255.255.252
  clock rate 2000000
  interface Serial0/2
  no ip address
  shutdown
  clock rate 2000000
  interface Serial0/3
  no ip address
  shutdown
  clock rate 2000000
  router eigrp 1
  network 20.0.0.0
  network 192.168.20.0
  no auto-summary
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  tacacs-server host 192.168.20.2 key cisco
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  login authentication milista
  line aux 0
  line vty 0 4
  end
  i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
  heres my share profile
  name-------------admin jr
  Description---------for jr admin
  unmatched commands------- ()permit  (x)deny
  permint unmatched args()
  enable
  show -------------------------- permit version<cr>
  permit runnig-config<cr>
  then i add this profifle to group 2 and then i add my user to the group 2
  then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
  can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration

  Hi,
  I need to activate a control privileges of users on various devices.
  I found this interesting document:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
  All users (read and full access) access on a not priviledge mode.
  WHY?
  I have a ACS v3.3 build 2
  I have a 2960-24TC with IOS 12.2.25SEE3
  I tried with a acs v4.1 without success.
  Thanks.

  If you want user to fall directly in enable mode,then you should have this command,
  aaa authorization exec default group tacacs+ if-authenticated
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG

• ACS - Shell Command Authorization Set

  Hi
  i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below
  privilege exec level 5 show ip route
  aaa authorization commands 5 TELNET group tacacs+
  aaa authorization exec TELNET group tacacs+
  aaa authentication login TAC group tacacs+
  tacacs-server host 10.0.0.100 key ccie-acs
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
  line vty 0 4
    password cisco
    authorization commands 5 TELNET
    authorization exec TELNET
    login authentication TAC

  By default, there are three command levels on the router:
      privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
      privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
      privilege level 15 — Includes all enable-level commands at the router# prompt.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
  Hope this helps.
  Regards,
  Jatin
  Do rate helpful posts-

• ACS SE - Shell Command Authorization

  Hi Sir,
  I have deployed an ACS Solution Engine 4.1(1) Build 23 to provide AAA services for routers/switches login.
  I'd like to create a user group that is restricted to only "show" commands when the users log in to the network devices.
  I have done the following steps:
  (1) Shared Profile Components -> Shell Command Authorization Sets
  Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".
  (2) Group Setup.
  Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".
  For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.
  For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".
  (3) User Setup.
  Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.
  (4) The AAA commands on the routers/switches are as follows:
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authorization exec default group tacacs+ local
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  ip tacacs source-interface Loopback0
  tacacs-server host 10.10.10.10 key 0 tacacskey
  When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?
  Thank you.
  B.Rgds,
  Lim TS

  Hi Narayan,
  Appreciate your detailed configuration steps.
  My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.
  See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.
  The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.
  I came across the following link:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  Perhaps it explains the problem here. If I understand it correctly, a user can't see in the output of "sh run" what he can't configure at his privilege level or below.
  The same issue happens when I configured the following:
  no aaa new-model
  username noc privilege 7 password test
  privilege exec level 7 show
  line vty 0 4
  login local
  The user "noc" can't do "sh run".
  Thank you.
  B.Rgds,
  Lim TS

• ACS 4.0, only 1 Shell Command auth. set possible

  Hi all,
  I am wondering if this is a "hidden feature" of the evaluation software or a bug...
  I am currently running Cisco Acs server v.4.0 (evaluatie version) Win2k3 platform; with authentication, authorization and accouting.
  In a nutshell I have the following setup:
  - group1 uses: Shell Command Authorization Set1
  - group2 uses: Shell Command Authorization Set2
  Problem: Users in group2 are somehow authorized against the commands listed in Shell Auth. Comm. set1 instead of the configured Shell Auth. Comm. set2
  Is it possible that with the evaluation software only one Shell Command Authorization Set is allowed to be active? Does anyone know?
  Many thx
  Sander

  Problem resolved by renaming authorization sets and reloading ACS......
  thx Sander

• Show config not working in ACS "Shell Command Auth set"

  To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)

  Hi,
  I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
  Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
  ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
  http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

• Cisco secure ACS - RDBMS Rename a Group-

  Hi,
  I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
  1,0,TESTuser,,100,,,,,,0,,,0
  2,0,TESTuser,,102,,test,,,,0,,,0
  Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
  3,0,TESTuser,Group 30,106,,,,,,0,,,0
  But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
  Thank you
  Regards
  Pascal TOURNIER

  Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,1,,Group 100,210,,BPM,,,,0,,,0
  2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
  3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
  4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
  5,5,,Group 104,210,,CTS,,,,0,,,0
  6,6,,Group 105,210,,DCI,,,,0,,,0
  line 1
  Rename "Group 100" to named group "BPM" using code 210 to perform the Action
  Gerald

• User $enable15$ in Cisco Secure ACS

  Hi all,
  I have a Cisco Secure ACS server, by default it has a username called "$enable15$"; I am using TACACS as the authentication protocol.
  The question is if I need the $enable15$ user configured in the ACS server even if I am using TACACS as the authentication protocol. I want to delete it but I am not sure if it is possible.
  regards
  Regards.

  Group Setup, select the group and click on edit settings and scroll down to "Cisco IOS/PIX 6.x RADIUS Attributes" and enable "cisco-av-pair" and enter shell:priv-lvl=15.

• Cisco Secure ACS v4.x

  Hi
  I am trying to delete all users that belong to a specific ACS group.
  Does anybody know how to delete the entire group (both group settings and all users that reside on this group)?
  Now, I have to delete users one by one.
  BR

  This cannot be done directly from the ACS GUI. To delete users from the ACS server, we have to create a "import.txt" file and then import
  the file through CSUtil on ACS server. The procedure is given below :
  1. Create a "import.txt" file.
  OFFLINE
  DELETE:
  DELETE:
  DELETE:
  DELETE:
  [ username : which you want to delete ]
  2. Save this file in C:/program files/cisco secure ACS v4.2/Utils folder.
  3. Go to the windows command line and issue:
  $BASE\utils\net stop csauth
  $BASE\utils\csutil -i import.txt
  $BASE\utils\net start csauth
  $BASE is the directory where the software is installed.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Setting privileges in Cisco Secure ACS Version 5.1.0.44

  I am setting privileges in Cisco Secure ACS Version 5.1.0.44.
  In the command sets from the ACS server, I denied few commands as can be seen in the attached screenshot and selected 'Permit any command that is not in the table below'.
  I am unable to see some commands like "Show running-configuration" from the router I was testing. What changes should I do to see all the commands other than the denied commands. Your help will be rated. Thank you.

  Hi,
  The ACS is able to handle permit or deny commands.
  I created a configuration example that will help you to understand command shell.(see attach doc)
  Instead of using show running-config please use show config.
  also make sure that all the users are using privilege 15.
  Regards,