Config commands authorization on ASA

Similar Messages

• ACS 3.3 Config Command Authorization

  Hi,
  I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
  The debug says:
  1w2d: AAA/AUTHOR: config command authorization not enabled
  How can I enable this and how/where can I configure it on the ACS?
  Thanks in advance

  On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
  On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
  aaa authorization config-commands
  Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

• 3640 - AAA/AUTHOR: config command authorization not enabled

  Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
  I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
  I attach you the files with config and logs.
  Thanks you in advance.

  Yep! I'm really running 12.1!
  I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
  Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
  sh run | i aaa
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication banner ^C
  aaa authentication fail-message ^C
  aaa authentication login My-RADIUS group radius local
  aaa accounting exec My-RADIUS start-stop group radius
  aaa session-id common
  Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
  Let me know what other thoughts you may have.
  Thanks
  Nik

• Command authorization for ASA

  Hi all
     I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
  Thanks in advance
  Anvar

  Hi Dan
    I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
  aaa authentication telnet console TACACS-SERVER LOCAL
  aaa authentication http console TACACS-SERVER LOCAL
  aaa authentication ssh console TACACS-SERVER LOCAL
  aaa authentication enable console TACACS-SERVER LOCAL
  aaa authentication serial console LOCAL
  aaa authorization command TACACS-SERVER LOCAL
  aaa accounting telnet console TACACS-SERVER
  aaa accounting command TACACS-SERVER
  aaa accounting ssh console TACACS-SERVER
  regards
  anvar

• Command authorization on ASA

  Hi,
  Can anyone confirm that command authorization works as advertised on the ASA platform? i.e. is anyone doing this successfully at the moment?
  We've no problems with authentication, accounting, NAR's, etc - just the authorization set's.
  thanks,
  Andrew.

  Hi andrew.burns,
  Command authorization should work on ASA. Please review
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1042034
  btw - what version of ASA are you using? Also, are you using shared profile components?
  Hope this helps!

• Config command authorization not enabled

  Can someone tell me why I'm getting this message. I'm beginning to think this has something to do with my device failing authorization.
  Show version
  Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.1(19)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

  Yep! I'm really running 12.1!
  I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
  Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
  sh run | i aaa
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication banner ^C
  aaa authentication fail-message ^C
  aaa authentication login My-RADIUS group radius local
  aaa accounting exec My-RADIUS start-stop group radius
  aaa session-id common
  Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
  Let me know what other thoughts you may have.
  Thanks
  Nik

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Aaa authorization config-commands

  Hello,
  Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.
  Thanks in advance,
  Regards,
  Mo

  This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.
  Cisco:
  Usage Guidelines
  If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
  After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
  Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
  Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.
  The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
  aaa new-model
  aaa authorization command 15 group tacacs+ none
  no aaa authorization config-commands
  http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

• Authorization config-commands - doubts

  Hello Everyone,
  So, for AAA Authorization,
  When I issue : aaa authorization commands 15 default local. -> It will authorize every command on the exec for lvl 15.
  The command above will overlap the: aaa authorization config-commands. ?!
  I should use : aaa authorization config-commands. Just when i'm trying to authorize configuration commands ?!

  No, the aaa authorization config-commands is a must for the aaa authorization commands 15 default local to work. If the config-commands is missing from your config then no authorization will happen for level 15 commands. Take a look at this post:
  https://supportforums.cisco.com/discussion/11409121/command-confusion-aaa-authorization-config-commands
  Thank you for rating helpful posts!

• ACS 5.1 command authorization in config mode

  Hello all,
  I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
  Before I've search this forum and found 2 posts:
  https://supportforums.cisco.com/thread/2041611
  https://supportforums.cisco.com/message/3057298
  that suggest to have the AAA configured with:
  aaa authorization config-commands
  I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  Did I miss something? Do you have any suggestion for me?
  Thank you!
  Calin

  can you run a "debug aaa authorization" to see what happens?

• Command confusion - aaa authorization config-commands

  I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
    >> Shell Command Authorization Sets
        Name: Restricted_Voice
        Description: Configure port voice vlan only.
        Unmatched Commands: Deny
        Add: enable
        Add: configure / permit terminal <cr>
        Add: interface / permit Gi*
        Add: interface / permit Fa*
        Add: switchport / permit voice vlan *
  My switch configuration has the following aaa authorization related lines:
       aaa authorization commands 1 default group tacacs+ if-authenticated
       aaa authorization commands 15 default group tacacs+ if-authenticated
  When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
  I went and read up the command reference for "aaa authorization config-commands" in
  http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
  My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
  It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

  Hi Axa,
  I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
  The below is taken from cisco.com and explains that you should not require the
  aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
  This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
  From Cisco.com (I have underlined the key points)
  aaa authorization config-commands
  To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
  aaa authorization config-commands
  no aaa authorization config-commands
  Syntax Description
  This command has no arguments or keywords.
  Defaults
  After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
  Usage Guidelines
  If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
  After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
  Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
  Examples
  The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
  aaa new-model
  aaa authorization command 15 tacacs+ none
  no aaa authorization config-commands

• AAA command authorization ASA

  I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
  Current commands
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  Entered commands
  aaa authentication enable console CSACS-TACACS+
  aaa authorization command CSACS-TACACS+

  Douglas,
  Try the following configuration:
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  aaa authentication enable console CSACS-TACACS+
  With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
  Remember to keep another session open in privilege mode before testing "
  aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

• Command authorization failed

  I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
  ============================
  EUKFW2# show running-config
  ^
  ERROR: % Invalid input detected at '^' marker.
  ERROR: Command authorization failed
  ============================
  I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

  No there is no default user. To make him login you need to make changes in the command author set.
  Make one command autho set in acs --->shared profile components.
  add-->give any name "Full access "---> Put radio button to permit and submit.
  Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
  Now it should let you in.
  Caution : This is let that uses to issue all commands
  Find attached the way to set up command authorization.
  Trick here is to give all user prov lvl 15 and then apply command autho set.
  Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
  Regards,
  ~JG
  Please rate if helps

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi