Command authorization on ASA

Hi,
Can anyone confirm that command authorization works as advertised on the ASA platform? i.e. is anyone doing this successfully at the moment?
We've no problems with authentication, accounting, NAR's, etc - just the authorization set's.
thanks,
Andrew.

Hi andrew.burns,
Command authorization should work on ASA. Please review
Configuring Command Authorization
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1042034
btw - what version of ASA are you using? Also, are you using shared profile components?
Hope this helps!

Similar Messages

  • Config commands authorization on ASA

    Hi, is there a way to control the config commands with tacacs+ authorization ?
    When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
    In IOS there's the "aaa authorization config-commands", how to with ASA ?

    Please check this link that explains about command authorization on ASA.
    these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
    aaa-server authserver protocol tacacs+
    aaa-server authserver host 10.1.1.1
    aaa authorization command authserver
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Command authorization for ASA

    Hi all
       I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
    Thanks in advance
    Anvar

    Hi Dan
      I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
    aaa authentication telnet console TACACS-SERVER LOCAL
    aaa authentication http console TACACS-SERVER LOCAL
    aaa authentication ssh console TACACS-SERVER LOCAL
    aaa authentication enable console TACACS-SERVER LOCAL
    aaa authentication serial console LOCAL
    aaa authorization command TACACS-SERVER LOCAL
    aaa accounting telnet console TACACS-SERVER
    aaa accounting command TACACS-SERVER
    aaa accounting ssh console TACACS-SERVER
    regards
    anvar

  • AAA command authorization ASA

    I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
    Current commands
    aaa authentication ssh console CSACS-TACACS+
    aaa authentication http console CSACS-TACACS+
    Entered commands
    aaa authentication enable console CSACS-TACACS+
    aaa authorization command CSACS-TACACS+

    Douglas,
    Try the following configuration:
    aaa authentication ssh console CSACS-TACACS+
    aaa authentication http console CSACS-TACACS+
    aaa authentication enable console CSACS-TACACS+
    With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
    Remember to keep another session open in privilege mode before testing "
    aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

  • Command Authorization Config best practice using ACS

    Hi
    Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
    Regards
    V Vinodh.

    Vinodh,
    The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
    Please check this link,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Failover exec and command authorization

    Hi, got into a dead end here. I have a pair of ASA firewalls running as active/standby. I'd like to use the 'failover exec' to issue commands on the standby firewall via the active one. This shouldn't be a problem, but we have AAA command authorization configured. And when the active ASA tries to issue a command on the stadby ASA, it gets a 'authorization denied' message. At the ACS we see the auth request being denied, the ASA sends the request using the 'enable_1' user, instead of using the same user connected to the active ASA.
    Any clues on how to go around this?
    thanks!

    Remote command execution lets you send commands entered at the command line to a specific failover peer.
    Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged-in to. For example, if you are logged-in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.
    To send a command to a failover peer, perform the steps given in the below URL:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1154924
    The below URL helps you in configuring the Active/standby failover:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096

  • Command authorization failed

    I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
    ============================
    EUKFW2# show running-config
    ^
    ERROR: % Invalid input detected at '^' marker.
    ERROR: Command authorization failed
    ============================
    I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

    No there is no default user. To make him login you need to make changes in the command author set.
    Make one command autho set in acs --->shared profile components.
    add-->give any name "Full access "---> Put radio button to permit and submit.
    Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
    Now it should let you in.
    Caution : This is let that uses to issue all commands
    Find attached the way to set up command authorization.
    Trick here is to give all user prov lvl 15 and then apply command autho set.
    Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
    Regards,
    ~JG
    Please rate if helps

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • Command authorization error when using aaa cache

    Hi,
    I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
    % tty2 Unknown authorization method 6 set for list command
    The command is then always authorized against the tacacs server.
    The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
    I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
    Deleting the cache entry and using only the tacacs group the error message disappears.
    Any suggestions?
    Thanks.
    Frank
    ======
    config
    ======
    aaa new-model
    aaa group server tacacs+ group_tacacs
    server 10.10.10.10
    server 10.10.10.11
    cache expiry 12
    cache authorization profile admin_user
    cache authentication profile admin_user
    aaa authentication login default cache group_tacacs group group_tacacs local
    aaa authentication enable default cache group_tacacs group group_tacacs enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default cache group_tacacs group group_tacacs local
    aaa authorization commands 15 default cache group_tacacs group group_tacacs local
    aaa accounting exec default start-stop group group_tacacs
    aaa cache profile admin_user
    profile admin no-auth
    aaa session-id common
    tacacs-server host 10.10.10.10 single-connection
    tacacs-server host 10.10.10.11 single-connection
    tacacs-server directed-request
    tacacs-server key 7 <removed>
    ============
    debug output
    ============
    ap#
    Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
    Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
    Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
    Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
    Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
    Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
    Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
    Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
    ap#
    Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
    Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
    Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
    Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
    Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
    Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
    Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
    Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
    Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
    Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
    priv=15 vrf= (id=0)

    Hi,
    I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
    Regards,
    Vivek

  • ACS - Shell Command Authorization Sets

    Hi,
    I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
    Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
    permit port-security
    permit mac address-table'
    I've also ticked 'Permit unmatched args'
    At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
    Test Timed out for service: CSAdmin
    Test Timed out for service: CSAuth
    Test Timed out for service: CSDbSync
    Test Timed out for service: CSLog
    I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
    Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
    Thanks!!
    Steve

    Thanks for your reply!
    there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
    I am using ACS v 4.1.
    While I receive the service messages and also when they go away - I always have the authorisation problem.
    Thanks
    Steve

  • Command Authorization in ACS

    Hi,
    Can anybody tell me how can I permit only ping command to a group in ACS. What is the actual statement that I want to add in command authorization sets.

    Hi Prem,
    Can you let me know how can i restrict a group from adding a route. I have the following configured on the ACS under shell authorization
    configure ......permit terminal
    interface ......permit fastethernet (permit Unmatched arg)
    show............permit vlan
    switchport......permit access &
    permit vlan
    With the above configuration iam still able to add a route to the config
    Also i would like to know the wildcard to be used for enabling all the fastethernet or Ge ports
    thanks in advance
    Narayan

  • Command Authorization in ACS 5.0

    Hi,
    Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
    OR
    USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
    Assigned specified commands to level 2
    privilege exec level 2 undebug all
    privilege exec all level 2 debug
    The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
    Also if i want to do shell command authorization set,how can i do it in ACS 5.0
         Thanks,

    You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.

  • Command authorization issue.

    Hello.
    I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
    The shell command set that I'm using is a "permit unmatched commands".
    Any idea?
    Thanks.
    Andrea

    What you're experiencing is a known defect:
    CSCtg38468    cat4k/IOS: banner exec failed with blank characters
    Symptom:
    %PARSE_RC-4-PRC_NON_COMPLIANCE:
    The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
    Conditions:
    Problem happens, when AAA authorization is used together with TACACS+
    Workaround:
    Make sure there is no blank character at the begining of line in the banner message.
    Problem Details: trying to configure banner exec with blank character at beginning of line failed.
    This happens when configuring the banner exec via telnet/ssh !
    When configuring the same banner exec via console-port, everything is fine.
    Note the blank characters at beginning of each line. When removing those, banner exec works fine.
    Again, this was working till IOS version 12.2(46)SG.
    Beginning with 12.2(50)SG1 and up, the behaviour has changed.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ACS command authorization sets

    I need help on the following please.
    1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
    2. Does anyone know where I can read up on command authorizations sets for ACS ??
    3. What is the debug command for CatOS to see cli output ?
    Many thanks
    Rod

    Thanks for your info. I have solved my problem -
    1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
    This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
    Problem resolved.
    Many thanks.

  • Nexus, command authorization using TACACS.

    Hello.
    Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
    Thanks.
    Regards.
    Andrea

    Hi Andrea,
    We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
    username admin password role network-admin ; local admin user
    feature tacacs+ ; enable the tacacs feature
    tacacs-server host key ; define key for tacacs server
    aaa group server tacacs+ tacacs ; create group called 'tacacs'
        server ;define tacacs server IP
        use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
        source-interface mgmt0 ; ...and send them from the mgmt interface
    aaa authentication login default group tacacs ; use tacacs for login auth
    aaa authentication login console group tacacs  ; use tacacs for console login auth
    aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
    aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
    aaa accounting default group tacacs ; send accounting records to tacacs
    Hope that works for you!
    (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
    Rob...

Maybe you are looking for