Command authorization issue.

Hello.
I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
The shell command set that I'm using is a "permit unmatched commands".
Any idea?
Thanks.
Andrea

What you're experiencing is a known defect:
CSCtg38468 cat4k/IOS: banner exec failed with blank characters
Symptom:
%PARSE_RC-4-PRC_NON_COMPLIANCE:
The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
Conditions:
Problem happens, when AAA authorization is used together with TACACS+
Workaround:
Make sure there is no blank character at the begining of line in the banner message.
Problem Details: trying to configure banner exec with blank character at beginning of line failed.
This happens when configuring the banner exec via telnet/ssh !
When configuring the same banner exec via console-port, everything is fine.
Note the blank characters at beginning of each line. When removing those, banner exec works fine.
Again, this was working till IOS version 12.2(46)SG.
Beginning with 12.2(50)SG1 and up, the behaviour has changed.
~BR
Jatin Katyal
**Do rate helpful posts**

Similar Messages

ABAP dump on authorization issue

hello,
I am not sure if this is the correct forum for this or not.
I have an ABAP program that was written before I got here that performs the following statement
<b>OPEN DATASET w_file FOR OUTPUT IN TEXT MODE ENCODING DEFAULT.</b>
where w_file is a file on the app server. the users that run this program have no issues.
I have made a copy of the program to add some additional functionality and when the users run this program, the program is abending with the following error messages when trying to execute the same command stated above
Runtime Error      OPEN_DATASET_NO_AUTHORITY
Except.               CX_SY_FILE_AUTHORITY
I have talking to the security person and he is going to make another role with the authorizations needed to run the program but I am curious as to why the same person can run the one program successfully and my program (which does basically the same thing when it comes to the file processing) abends with the authorization issue.
thanks in advance for your help

I believe you can use FM to check if user has sufficient authorization.
NOTE: authority-check uses PROGRAM NAME, so it looks like your profile should be updated with new program name.
Here is what help says :
                                                                                Check file access authorization
Functionality
This function module allow you to check the user's authorization to
    access files (with the key words OPEN DATASET, READ DATASET, TRANSFER and
    DELETE DATASET). A check should be performed before opening a file.
The authorization check is performed uwing the authorization object
    S_DATASET.
Description of function parameters:
o PROGRAM: Name of the ABAP/4 program that contains the file access. If
       no program name is specified, the system assumes the current program.
o ACTIVITY: Access type. The possible values are:
- READ:              Read file
       - WRITE:             Change file
       - READ_WITH_FILTER: Read file with filter function
       - WRITE_WITH_FILTER: Change file with filter function
       - DELETE:            Delete file
o FILENAME: Name of accessed file
Example
TYPE-POOLS SABC.
CALL FUNCTION 'AUTHORITY_CHECK_DATASET'
         EXPORTING PROGRAM          = 'ZDATASET'
                    ACTIVITY         = SABC_ACT_READ
                    FILENAME         = '/tmp/sapv01'
         EXCEPTIONS NO_AUTHORITY     = 1
                    ACTIVITY_UNKNOWN = 2.
Notes
The values to be passed as the ACTIVITY are defined as constants in the
    TYPE-POOL SABC.

Authorization issues on opening a dataset

hello,
I am not sure if this is the correct forum for this or not.
I have an ABAP program that was written before I got here that performs the following statement
OPEN DATASET w_file FOR OUTPUT IN TEXT MODE ENCODING DEFAULT.
where w_file is a file on the app server. the users that run this program have no issues.
I have made a copy of the program to add some additional functionality and when the users run this program, the program is abending with the following error messages when trying to execute the same command stated above
Runtime Error OPEN_DATASET_NO_AUTHORITY
Except. CX_SY_FILE_AUTHORITY
I have talking to the security person and he is going to make another role with the authorizations needed to run the program but I am curious as to why the same person can run the one program successfully and my program (which does basically the same thing when it comes to the file processing) abends with the authorization issue.
thanks in advance for your help

Hi Timothy
Well it is the correct forum
When ever your accessing the file system the authorization object S_DATASET is checked.
This object has Filename, activity and <b>program name</b> as input parameter.
Best Practice would require you to limit access as much as possible, so my guess is that access only has been given to the original program, and not your new one - that's why your getting the ShortDump.
You can find the documentation here: http://help.sap.com/saphelp_webas620/helpdata/en/fc/eb3d5c358411d1829f0000e829fbfe/frameset.htm
Regards
Morten Nielsen

ACS - Shell Command Authorization Sets

Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
Steve

Thanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve

Shell command authorization

Hi all
I am having a problem with Shell Command Authorization. I have a user setup who I only want to be able to display the config, this is for automated config archival on an hourly basis.
I have configuered the device with the following aaa commands:
aaa new-model
aaa group server tacacs+ ACS
aaa authentication login default group ACS
aaa authentication login NOAUTH none
aaa authorization config-commands
aaa authorization exec default group tacacs+ group ACS
aaa authorization exec NOAUTH none
aaa authorization commands 15 default group ACS
aaa authorization commands 15 NOAUTH none
aaa accounting commands 15 default start-stop group ACS
The static account I have configured logs in ok and can show config etc. Access to conf t is disabled which is good but for some reason he can do any show command instead of just show run which is all I have allowed in the Shell command authorization.
Unmatched commands is set to deny and permit unmatched arguements is unchecked.
ACS is 3.3(2) and the switch I am testing is running 12.1(9)EA1
Any ideas?

Most "show" command are level 1 commands. You can verify this by logging in as a normal user, issue a "sho priv" to ensure you're at level 1, and then type "sho ip route", "sho ver", etc, you'll see that all of them work fine.
Your AAA commands only tell the switch to authorize level 15 commands, so when you do a "sho ver" or the like this command will not be sent off to the ACS server for authorization.
If you add the following:
aaa authorization commands 1 default group ACS
then that shoud fix it, but be careful because it's easy to lock yourself out of being able to get into enable mode (add "enable" into your command set too).
You should also have noticed that all those "show" commands weren't being accounted either, because you have also only enabled accounting for level 15 commands.

ACS command authorization report in conf t mode

Hi, this is probably a quick one, but I couldnt find a solution so far.
We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
My guess is that I allow all commands with that and thus no authorization is needed.
Any idea?
Thanks
Chris

ACS SE - Shell Command Authorization

Hi Sir,
I have deployed an ACS Solution Engine 4.1(1) Build 23 to provide AAA services for routers/switches login.
I'd like to create a user group that is restricted to only "show" commands when the users log in to the network devices.
I have done the following steps:
(1) Shared Profile Components -> Shell Command Authorization Sets
Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".
(2) Group Setup.
Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".
For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.
For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".
(3) User Setup.
Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.
(4) The AAA commands on the routers/switches are as follows:
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.10.10.10 key 0 tacacskey
When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?
Thank you.
B.Rgds,
Lim TS

Hi Narayan,
Appreciate your detailed configuration steps.
My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.
See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.
The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.
I came across the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Perhaps it explains the problem here. If I understand it correctly, a user can't see in the output of "sh run" what he can't configure at his privilege level or below.
The same issue happens when I configured the following:
no aaa new-model
username noc privilege 7 password test
privilege exec level 7 show
line vty 0 4
login local
The user "noc" can't do "sh run".
Thank you.
B.Rgds,
Lim TS

ACS command Authorization on PIX Console

I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
ACS down, i wana to get console and access the device by using local username and password
but now after this configuration when i try to access the firewall via console, i m getting error of
command authorization fail.
I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
I have made the command authorization set in ACS and it is working fine for me,

kindly once again check my modified configuration,
I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem

AAA Authorization issue

Hi All,
I've got an issue when adding a device to ACS.When I try to login to the device after adding it to the ACS, it does'nt prompt me to enter my tacacs username and password, instead it prompts me to enter the tacacs username/password details when I try to get into the enable mode. Also, once I am in the enable mode, I cant execute any commands as shown below:
Router01#debug aaa authentication
Command authorization failed.
^
% Invalid input detected at '^' marker.
Router01#sh run
Command authorization failed.
% Incomplete command.
The aaa config is as listed below:
aaa authentication login default group TACACS-GROUP enable
aaa authentication enable default group TACACS-GROUP enable
aaa authentication ppp default local
aaa authorization commands 1 default group TACACS-GROUP if-authenticated
aaa authorization commands 15 default group TACACS-GROUP if-authenticated
aaa accounting commands 1 default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
Everything works fine once I remove the device from ACS. How do I get over this issue? Any advice would be much appreciated.
Regards,
PV

PV,
The reason you are not able to issue any command is because, you have command authorization enabled on Router.
It seems that you don't want that. You need to remove these commands,
no aaa authorization commands 1 default group TACACS-GROUP if-authenticated
no aaa authorization commands 15 default group TACACS-GROUP if-authenticated
These commands are used to authorize what all command user can issue.
Please see this link, it explain about setting up command authorization using acs,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts

Failover exec and command authorization

Hi, got into a dead end here. I have a pair of ASA firewalls running as active/standby. I'd like to use the 'failover exec' to issue commands on the standby firewall via the active one. This shouldn't be a problem, but we have AAA command authorization configured. And when the active ASA tries to issue a command on the stadby ASA, it gets a 'authorization denied' message. At the ACS we see the auth request being denied, the ASA sends the request using the 'enable_1' user, instead of using the same user connected to the active ASA.
Any clues on how to go around this?
thanks!

Remote command execution lets you send commands entered at the command line to a specific failover peer.
Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged-in to. For example, if you are logged-in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.
To send a command to a failover peer, perform the steps given in the below URL:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1154924
The below URL helps you in configuring the Active/standby failover:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096

Command authorization failed

I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
============================
EUKFW2# show running-config
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
============================
I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

No there is no default user. To make him login you need to make changes in the command author set.
Make one command autho set in acs --->shared profile components.
add-->give any name "Full access "---> Put radio button to permit and submit.
Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
Now it should let you in.
Caution : This is let that uses to issue all commands
Find attached the way to set up command authorization.
Trick here is to give all user prov lvl 15 and then apply command autho set.
Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
Regards,
~JG
Please rate if helps

Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request' % Incomplete command.

we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
no any command execute and get error.
Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.
please help.

Hi Anop
How did you get over this problem? I am having the same issue.
Regards
Rohan

Command authorization failed ACS 5.6

I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
Here are the AAA settings on the switch
aaa authentication login listASH group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listASH group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
tacacs-server host 10.1.2.212
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>
line vty 0 4
access-class vty-access in
logging synchronous level all
login authentication listASH
transport input ssh
Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.

Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?
debug aaa authentication
debug aaa authorization
debug tacacs authorization
Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.
Thank you for rating helpful posts!

Command Authorization Set Show Run Permissions Only

Hi All,
I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and this doesn't work as intended.
I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges! I guess this is because I am specifying level 1 access but that's what the doc says to do.......
My config is as follows:
Cisco 2811 Router
aaa new-model
aaa authentication login defaut group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
ACS 4.2 Config
Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
Thanks in advance
David

All,
I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place

Secured WebDAV Mounted Volume Authorization Issues

I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
1) I am able to mount the secured WebDAV share using my security credentials.
2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
Thanks in advance for any insights.

same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:52: --- last message repeated 1 time ---

Command authorization issue.

Similar Messages

Maybe you are looking for