Command authorization for ASA

Similar Messages

• Config commands authorization on ASA

  Hi, is there a way to control the config commands with tacacs+ authorization ?
  When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
  In IOS there's the "aaa authorization config-commands", how to with ASA ?

  Please check this link that explains about command authorization on ASA.
  these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
  aaa-server authserver protocol tacacs+
  aaa-server authserver host 10.1.1.1
  aaa authorization command authserver
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Command authorization on ASA

  Hi,
  Can anyone confirm that command authorization works as advertised on the ASA platform? i.e. is anyone doing this successfully at the moment?
  We've no problems with authentication, accounting, NAR's, etc - just the authorization set's.
  thanks,
  Andrew.

  Hi andrew.burns,
  Command authorization should work on ASA. Please review
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1042034
  btw - what version of ASA are you using? Also, are you using shared profile components?
  Hope this helps!

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• AAA command authorization ASA

  I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
  Current commands
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  Entered commands
  aaa authentication enable console CSACS-TACACS+
  aaa authorization command CSACS-TACACS+

  Douglas,
  Try the following configuration:
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  aaa authentication enable console CSACS-TACACS+
  With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
  Remember to keep another session open in privilege mode before testing "
  aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

• Shell Command Authorization Sets for device using NDGs??

  Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
  This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
  I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
  I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
  - Thanks

  I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610
  AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
  You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
  You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
  Regards
  Farrukh

• Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

  1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
  2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
  3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
  Thanks in advance,
  Matt

  Try this:
  aaa authentication enable console
  aaa authorization command
  on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

• Enable authentication for ASA

  hi,
  Im working on AAA authentication for an ASA (ASA 8.0(3) version) box thorough a TACACS+ server in ACS (4.2 version). The setup im working on includes several users in 3 classes: senior (privilege level 15), junior (privilege level 7) and monitoring (privilege level 0), user authentication and command authorization is working fine, however im having problems with enable authentication.
  When an user of junior class try to authenticate the enable password the authentication fails, according to the ACS's log "Tacacs+ enable privilege too low", however the privilege level in ACS for this class is set to level 7. Checking with a sniffer i have find out that the TACACS+ message for authentication sent by ASA is setting the privilege level as level 15, as you can see in the attached screenshot. Of course if the ASA is trying to authenticate enable for a level 15, the authentication will fail according to user's current level.I have local authentication configured in the ASA and it works fine including enable authentication.
  Anyone have had any issue with this or have any idea how resolve this issue?
  thanks all for your replies.

  Seems like you might be hitting bug CSCsh66748.
  Hope you have tried "enable " command to enter enable mode for specific users.
  BTW why are you using different privileges for enable when you already have command authorization in place.
  Regards
  Rohit

• Implement strategy for ASA on TACACS w/ restricted read-only access

  An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.
  ASA 5550
  running ASA 8.2(2)
  using ASDM 6.3(5)
  authenticating to ACS 4.2
  The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.
  What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?
  1. Try and avoid the creation of a second TACACS username for the admin and read-only users.
  2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

  If you want to configure ASA for read-only access via tacacs then you have to do the following task
  ASA/PIX/FWSM Configuration
  In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  On the ACS, you need to create command authorization set for only SHOW commands:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  Associate command authorization set with user or group
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2
  Regards,
  Jatin
  Do rate helpful posts-

• Failover exec and command authorization

  Hi, got into a dead end here. I have a pair of ASA firewalls running as active/standby. I'd like to use the 'failover exec' to issue commands on the standby firewall via the active one. This shouldn't be a problem, but we have AAA command authorization configured. And when the active ASA tries to issue a command on the stadby ASA, it gets a 'authorization denied' message. At the ACS we see the auth request being denied, the ASA sends the request using the 'enable_1' user, instead of using the same user connected to the active ASA.
  Any clues on how to go around this?
  thanks!

  Remote command execution lets you send commands entered at the command line to a specific failover peer.
  Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged-in to. For example, if you are logged-in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.
  To send a command to a failover peer, perform the steps given in the below URL:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1154924
  The below URL helps you in configuring the Active/standby failover:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096

• Command authorization failed

  I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
  ============================
  EUKFW2# show running-config
  ^
  ERROR: % Invalid input detected at '^' marker.
  ERROR: Command authorization failed
  ============================
  I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

  No there is no default user. To make him login you need to make changes in the command author set.
  Make one command autho set in acs --->shared profile components.
  add-->give any name "Full access "---> Put radio button to permit and submit.
  Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
  Now it should let you in.
  Caution : This is let that uses to issue all commands
  Find attached the way to set up command authorization.
  Trick here is to give all user prov lvl 15 and then apply command autho set.
  Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
  Regards,
  ~JG
  Please rate if helps

• Authorizations for user db2 sid after systemcopy  with DB2 V9.7 on AIX

  Hello,
  I made a homogenous systemcopy from the system PRD to ENT with an redirected restore. I had the following system environment:
  AIX 5.3 TL10 SP1
  DB2 V9.7 (without any fixpack)
  After the restore and the recovery were finished, I was able to start the database manager and to activate the database.
  I tried to execute a script for cleanup some tables according to the systemcopy guide but I got the following SQL messages:
  SQL0551N, SQL0552N for the user db2ent. I checked the authorization for this user and got the following information:
  db2 => get authorizations
  Administrative Authorizations for Current User
  Direct SYSADM authority                    = NO
  Direct SYSCTRL authority                   = NO
  Direct SYSMAINT authority                  = NO
  Direct DBADM authority                     = NO
  Direct CREATETAB authority                 = NO
  Direct BINDADD authority                   = NO
  Direct CONNECT authority                   = NO
  Direct CREATE_NOT_FENC authority           = NO
  Direct IMPLICIT_SCHEMA authority           = NO
  Direct LOAD authority                      = NO
  Direct QUIESCE_CONNECT authority           = NO
  Direct CREATE_EXTERNAL_ROUTINE authority   = NO
  Direct SYSMON authority                    = NO
  Indirect SYSADM authority                  = YES
  Indirect SYSCTRL authority                 = NO
  Indirect SYSMAINT authority                = NO
  Indirect DBADM authority                   = NO
  Indirect CREATETAB authority               = NO
  Indirect BINDADD authority                 = NO
  Indirect CONNECT authority                 = NO
  Indirect CREATE_NOT_FENC authority         = NO
  Indirect IMPLICIT_SCHEMA authority         = NO
  Indirect LOAD authority                    = NO
  Indirect QUIESCE_CONNECT authority         = NO
  Indirect CREATE_EXTERNAL_ROUTINE authority = NO
  Indirect SYSMON authority                  = NO
  db2 =>
  The user db2ent was/is in the group dbentadm and the group dbentadm is configured as SYSADM:
  SYSADM group name                        (SYSADM_GROUP) = DBENTADM
  SYSCTRL group name                      (SYSCTRL_GROUP) = DBENTCTL
  SYSMAINT group name                    (SYSMAINT_GROUP) = DBENTMNT
  The only solution was to grant the authorizations with an other user to db2ent.
  For the restore I created an new instance with the following command (as user root):
  /db2/ENT/db2_software/instance/db2icrt -a SERVER_ENCRYPT -s ESE -u db2ent db2ent
  I set the correct DBM configuration and created an empty database as user db2ent with the following command
  db2 create db ENT on /db2/ENT
  The restore was executed with db2 -tvf restore_prd.clp as user db2ent.
  Is there a bug in the db2 software or is there any other solution? I did not changed the environment for the user db2ent.
  The authorization concept has been changed in DB2 V9.7
  http://www-01.ibm.com/support/docview.wss?uid=swg21385801
  Kind regards,
  Christian

  Hello All,
  I finished restore using redirect method, but i did not know about this security issue.
  Now I tried creating db2<oldsid> user and tried granting dbadm secadm priv.
  but i get this error
  db2 => GRANT DBADM to USER DB2P60
  DB21034E  The command was processed as an SQL statement because it was not a
  valid Command Line Processor command.  During SQL processing it returned:
  SQL0707N  The name "DBADM" cannot be used because the specified identifier is
  reserved for system use.  SQLSTATE=42939
  Please help me.
  I need a solution at the earliest possible.
  Thanks,
  Sree

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• FTP_CONNECT: User ------- has no access authorization for computer -------.

  Hi, could anyone please help me resolve the following issue:
  When i run the code below, it comes back saying "could not connect to "host". When tried to run in debug or test the FM "ftp_connect" it says "user ..... has no access authorization for computer .....
  REPORT  ZALB_FTP_TEST.
  types: begin of t_ftp_data,
           line(132) type c,
         end of t_ftp_data.
  data: lv_ftp_user(64)                value 'branch'.     "change this
  data: lv_ftp_pwd(64)                 value 'careful'. "change this
  data: lv_ftp_host(50)                value '10.50.1.199'.     "change this
  data: lv_rfc_dest like rscat-rfcdest value 'SAPFTP'.
  data: lv_hdl    type i.
  data: lv_key    type i               value 26101957.
  data: lv_dstlen type i.
  data: lt_ftp_data type table of t_ftp_data.
  field-symbols: <ls_ftp_data> like line of lt_ftp_data.
  *describe field lv_ftp_pwd length lv_dstlen.
  lv_dstlen = strlen( lv_ftp_pwd ).
  call 'AB_RFC_X_SCRAMBLE_STRING'
    id 'SOURCE'      field lv_ftp_pwd
    id 'KEY'         field lv_key
    id 'SCR'         field 'X'
    id 'DESTINATION' field lv_ftp_pwd
    id 'DSTLEN'      field lv_dstlen.
  call function 'FTP_CONNECT'
    exporting
      user            = lv_ftp_user
      password        = lv_ftp_pwd
      host            = lv_ftp_host
      rfc_destination = lv_rfc_dest
    importing
      handle          = lv_hdl
    exceptions
      not_connected   = 1
      others          = 2.
  if sy-subrc ne 0.
    write:/ 'could not connect to', lv_ftp_host.
  else.
    write:/ 'connected successfully. session handle is', lv_hdl.
    call function 'FTP_CONNECT'
      exporting
        handle        = lv_hdl
        command       = 'dir'
      tables
        data          = lt_ftp_data
      exceptions
        tcpip_error   = 1
        command_error = 2
        data_error    = 3
        others        = 4.
    if sy-subrc ne 0.
      write:/ 'could not execute ftp command'.
    else.
      loop at lt_ftp_data assigning <ls_ftp_data>.
        write: / <ls_ftp_data>.
      endloop.
      call function 'FTP_DISCONNECT'
        exporting
          handle = lv_hdl
        exceptions
          others = 1.
      if sy-subrc ne 0.
        write:/ 'could not disconnect from ftp server'.
      else.
        write:/ 'disconnected from ftp server'.
      endif.
    endif.
  endif.
  Thanks in advance for the help.

  It doesn't work for me if I just maintain * entry.
  But it works after I maintained specific IP address into the table,
  ref notes:2072995 - User has no access authorization for computer
  Cause
  The message comes after the implementation of note '1605054 - Restriction in access to FTP Servers & usage of test reports' or upgrading to a
  support package that contains this note. This note was created to prevent malicious users from accessing remote FTP servers.
  Resolution
  1. Please ensure that all manual steps from note 1605054 are implemented in your system along with the code corrections
  2. Then please enter the allowed FTP servers into the table SAPFTP_SERVERS or enter ‘*’ to allow all FTP servers.

• Command authorization error when using aaa cache

  Hi,
  I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
  % tty2 Unknown authorization method 6 set for list command
  The command is then always authorized against the tacacs server.
  The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
  I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
  Deleting the cache entry and using only the tacacs group the error message disappears.
  Any suggestions?
  Thanks.
  Frank
  ======
  config
  ======
  aaa new-model
  aaa group server tacacs+ group_tacacs
  server 10.10.10.10
  server 10.10.10.11
  cache expiry 12
  cache authorization profile admin_user
  cache authentication profile admin_user
  aaa authentication login default cache group_tacacs group group_tacacs local
  aaa authentication enable default cache group_tacacs group group_tacacs enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default cache group_tacacs group group_tacacs local
  aaa authorization commands 15 default cache group_tacacs group group_tacacs local
  aaa accounting exec default start-stop group group_tacacs
  aaa cache profile admin_user
  profile admin no-auth
  aaa session-id common
  tacacs-server host 10.10.10.10 single-connection
  tacacs-server host 10.10.10.11 single-connection
  tacacs-server directed-request
  tacacs-server key 7 <removed>
  ============
  debug output
  ============
  ap#
  Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
  Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
  Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
  Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
  Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
  ap#
  Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
  Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
  Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
  Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
  Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
  priv=15 vrf= (id=0)

  Hi,
  I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
  Regards,
  Vivek