Command Authorization in ACS
Hi,
Can anybody tell me how can I permit only ping command to a group in ACS. What is the actual statement that I want to add in command authorization sets.
Hi Prem,
Can you let me know how can i restrict a group from adding a route. I have the following configured on the ACS under shell authorization
configure ......permit terminal
interface ......permit fastethernet (permit Unmatched arg)
show............permit vlan
switchport......permit access &
permit vlan
With the above configuration iam still able to add a route to the config
Also i would like to know the wildcard to be used for enabling all the fastethernet or Ge ports
thanks in advance
Narayan
Similar Messages
-
Hi Guys,
its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
please help me on this.
ThanksHi ,
The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
Pix command,
username Test password cisco
username Test privilege 15
aaa-server TACACS protocol tacacs+
aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
Regards,
~JG
Please rate if that helps ! -
Command Authorization in ACS 5.0
Hi,
Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
OR
USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
Assigned specified commands to level 2
privilege exec level 2 undebug all
privilege exec all level 2 debug
The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
Also if i want to do shell command authorization set,how can i do it in ACS 5.0
Thanks,You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.
-
IOS XR Command authorization with ACS server
We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
In ACS, we have two groups: Group 1 and Group 2
Group 1 allows full access in the shell command authorization set.
Group 2 allows limited access in the shell command set (basically just show commands).
Both groups can login fine (aaa authentication login default group <groupname> local)
Group 1 has full access to everything (group I am in).
Group 2 has NO access to anything (can't even perform show commands).
Group 2 CAN access other IOS devices and can perform the various show commands.
With regards to our authorization commands, we currently have it configured as:
aaa authorization commands default group <groupname> local
Why is it working for the one group, but not the other? I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with. I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
Thanks!
Kyledont have enough info to give you a full conclusive answer Kyle, but some suspicions.
Task group not set right?
Command groups not defined properly in tacacs for command author.
if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
More info here:
https://supportforums.cisco.com/docs/DOC-15944
xander -
Shell Command Authorization Sets ACS
hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
Command authorization failed ACS 5.6
I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
Here are the AAA settings on the switch
aaa authentication login listASH group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listASH group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
tacacs-server host 10.1.2.212
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>
line vty 0 4
access-class vty-access in
logging synchronous level all
login authentication listASH
transport input ssh
Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?
debug aaa authentication
debug aaa authorization
debug tacacs authorization
Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.
Thank you for rating helpful posts! -
TACACS+ command authorization and ACS "Quirk"(?)
Hi All,
I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
For the example, i'll use Vlan 101, which is one of my server networks.
My Command set says:
Command: switchport
Arguements: permit access, permit vlan, deny 101
Permit Unmatched Args is UNCHECKED.
When I debug the aaa authorization, i see this:
146425: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
146426: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
146427: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
146428: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
146429: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
146430: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
146431: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
146432: Mar 8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
I know I have the correct command set applied, because it blocks me appropriately for other commands.
146451: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
146452: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
146453: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
146454: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
146455: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
146456: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
146457: Mar 8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
Any thoughts why it's not working as expected?Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
ip tacacs source-interface gi 0/0
tacacs-server directed-request
tacacs-server key
tacacs-server host x.x.x.x
aaa new-model
aaa authentic login default group tacacs+ local
aaa authentic login no-tacacs none
aaa authentic enable default group tacacs+ enable
aaa author config-commands
aaa author exec default if-authenticated
aaa author commands 1 default if-authenticated
aaa author commands 15 default group tacacs+ local
aaa author console
aaa account exec default start-stop group tacacs+
aaa account commands 0 default start-stop group tacacs+
aaa account commands 1 default start-stop group tacacs+
aaa account commands 15 default start-stop group tacacs+
aaa account connection default start-stop group tacacs+
aaa account system default start-stop group tacacs+
aaa session-id common -
ACS command authorization report in conf t mode
Hi, this is probably a quick one, but I couldnt find a solution so far.
We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
My guess is that I allow all commands with that and thus no authorization is needed.
Any idea?
Thanks
Chris -
Hi all
I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
Thanks in advance
AnvarHi Dan
I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
aaa authentication telnet console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication serial console LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting telnet console TACACS-SERVER
aaa accounting command TACACS-SERVER
aaa accounting ssh console TACACS-SERVER
regards
anvar -
Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets
Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
Command Authorization Config best practice using ACS
Hi
Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
Regards
V Vinodh.Vinodh,
The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
Please check this link,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
ACS - Shell Command Authorization Sets
Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
SteveThanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve -
Cisco ACS command authorization sets
I need help on the following please.
1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
2. Does anyone know where I can read up on command authorizations sets for ACS ??
3. What is the debug command for CatOS to see cli output ?
Many thanks
RodThanks for your info. I have solved my problem -
1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
Problem resolved.
Many thanks. -
ACS command authorization - deny CatOS "set" commands
Cisco Secure ACS 4.2
I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
How do I go about setting this group up to deny set-based commands for the CatOS devices?Hi
CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
Hope that makes sense! -
ACS 3.3 Config Command Authorization
Hi,
I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
The debug says:
1w2d: AAA/AUTHOR: config command authorization not enabled
How can I enable this and how/where can I configure it on the ACS?
Thanks in advanceOn ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
aaa authorization config-commands
Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.
Maybe you are looking for
-
Receiving null and [Receiving text] SMS
Hi, Strange things on some SMS: I receive one correctly but a the end there is the text "[Receiving text]" Then I receive a second SMS only containing null Why is that ? Thanks.
-
Crash report (Safari) -- feedback appreciated
I frequently experience crashes in Safari that I suspect are related to viewing of videos, since they seem to occur soon after (or while) I've done that. Can anyone here help me decode the following crash report? Thanks. Date/Time: 2007-12-18 05:57:2
-
PDF files are not opening even i have latest reader and re-installed firefox
I am able to open in IE and Chrome but in FF it always shows that not able to open - the reader plug-in starts, open a blank window with caption "PDF might not be displayed properly" when downloaded, it opens fine with Adobe Reader.
-
Tuxedo errors LIB_GWT_CAT:1561 and LIBGWT_CAT156
Hi Folks, I see the tuxedo gateway domain issued the following errors: 080812.usrncwa1!GWTDOMAIN.26600.4.0: LIBGWT_CAT:1561: ERROR: Network send error, drop message! 080812.usrncwa1!GWTDOMAIN.26600.4.0: LIBGWT_CAT:1041: ERROR: Unrecoverable error occ
-
How to obtain the Query Response Time of a query?
Given the Average Length of Row of tables and the number of rows in each table, is there a way we get the query response time of a query involving those tables. Query includes joins as well. For example, suppose there 3 tables t1, t2, t3. I wish to o