Exclude specific user from aaa authorization commands
Hi there,
I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
We use an AAA setup with Cisco ACS. On the devices we use:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
is it possible, to exclude an user, say User1, from being command authorized?
In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
We tried this with method lists in combination with ACL's on the VTY's:
line VTY 0
access-class 1 in
line VTY 1
access-class 2 in
Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
Does anyone have some tips/tricks how to handle this?
Maybe a custom attribute from the ACS?
Kind Regards
If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.
Thank you for rating helpful posts!
Similar Messages
-
Exclude specific user from ACS logging ?
Hi,
My customer and I are looking for a way to exclude actions/commands logging on AAA servers (ACS) for a single specific user, though logging still goes on for other users as AAA clients on networks devices have been configured with:
aaa accounting commands start-stop tacacs+
I have not found any solution up to now, either on the ACS side, either on the IOS side and aaa commands.
(Though it looks like a potential security issue), can anyone advise?
Thanks for your cooperation.
Yvon.ACS 5.1 has the concept of collection filters which I think can do what you are looking for
See: http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/viewer_sys_ops.html#wp1072344 -
Exclude a user from Shared Services LCM export
How do I exclude a specific user from the Shared Services LCM export? In the migration definition file I am trying to specify something like the following:
pattern="*" and pattern<>"lcm_admin"What exactly you want to try after/by exporting users from Shared services?
Regards,
Santy. -
Hi All
Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
Following is my aaa part config
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
Would really appreciate your quick reply
RegardsThanx a lot for your quick response. Really appreciate that.
So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
that is following should be the config
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local if-authenticated
privilege exec level 15 show (just an example)
privilege exec level 15 debug
I have tested this and it worked fine without using "aaa authorization command level"
Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that, i wanted to get a good grip of AAA functionality and therefore started off with local user database.
So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
will really appreciate your kind response -
Aaa authorization commands for pix 535
Hi ,
Can you provide aaa authorization commands for pix 535
Sanjay Nalawade.Hi,
Please find the AAA config for PIX.
aaa-server TACACS+ protocol tacacs+
max-failed-attempts 5
aaa-server TACACS+ (ExranetFW-In) host
timeout 5
key ********
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
aaa accounting command privilege 15 TACACS+
aaa authorization exec authentication-server
Karuppuchamy -
Hi!
I have issued the aaa authorization command tacacs on my asa, but the ACS is not letting me do any command now. I'm trying to issue the no
aaa authorization command tacacs, but it does not let me.
How can i rollback??
Please Help me
Tkx
MiguelWhat version of ACS are you running?
If you are running acs 4.x then you will have to go to your group settings and under shell command authorization permit all commands, if you are using acs 5, you will have to go to your authorization policy, click customize if the command set column isnt active already and assign the command set to allow all commands. I think by default there should be a permit all.
Thanks,
Tarik -
Is there a way to exclude specific calendars from Notifications and alerts?
I have 4 calendars: 1 Exchange and 1 Yahoo that includes 2 shared calendars (wife and MIL). I activate the Yahoo calendars only when I need them and do not need any yahoo reminders at all. When I swipe down the Notifications page, it includes all four calendars including the shared Yahoo calendars. What's worse, I get alerts from all four calendars.
I only want Exchange alerts and notifications. Is there a way to exclude the Yahoo calendars from Notifications and alerts?
Right now, the only way I can eliminate them is by deactivating the Yahoo account in Settings/Mail, Contacts, Calendars.Is there a way to only choose specific contacts from an existing group and add to a new group?
I mean there has be a faster way than typing everybody by hand.. -
No "list-name" option availbale for aaa authorization command.
I have a 1721 router running 122-15.T14 and want to implement authorization but the router does not provide command option for list name.
I want to implement the following command:
"aaa authorization network groupauthor group radius"
but the only option is default after "network".
Router#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 27-Aug-04 23:26 by cmong
Image text-base: 0x80008120, data-base: 0x80F731A0
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
Router uptime is 5 minutes
System returned to ROM by reload
System image file is "flash:c1700-k9sy7-mz.122-15.T14.bin"
cisco 1721 (MPC860P) processor (revision 0x400) with 56844K/8692K bytes of memory.
Processor board ID FOC08302CF6 (610086355), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router(config)#aaa authorization network ?
default The default authorization list.
Router(config)#aaa authorization networkI think that your issue is version related. I have a customer who is running a bunch of 1721 routers and when I do aaa authorization network ?
I get both default and the option to name a list.
I checked with the Software Advisor on CCO and it looks to me like the named-list feature was added in 12.3. As long as you are running 12.2 I do not think you will have the option for a named-list for network authorization.
HTH
Rick -
Access to Oracle Database by a specific user from a client system.
Hi All,
I need to restrict a particular client system to access the database only by a specific user credentials. I mean system A(hostname) can only connect the database PQR only and only by user U123. Any help is sincerely appreciated.
Regards
SwapanHi,
I solved it by a trigger at logon on V$SESSION which validates MACHINE like [HOSTNAME] and username not like [the_user_I_would_allow].
It works now.
Thanks for your reply.
Regards
Swapan -
Send a message to multiple computers(Not users) from win7/xp command/or scirpt
Hi Team, is there a way to send a message to multiple windows xp/win7 computers from my win7/xp? 3rd party software,commercial or free, command line,batch or script all welcome. I have a few hundreds of computers, ping-them alive,but I don't know their
location and user name. I was failed to push SCCM client to them,some could be in work group or admin$ disabled. so I plan to send a message like " please contact IT department for your pc maintenance by this Friday or this PC will be deleted from
the corp domain", when the user contact IT, we can RDP or manual install SCCM onsite with user cooperation. The msg.exe can only send to user,instead of computer names. I tried shutdown /m \\pc-name -f -s -t 1200000 "testMessage" but I got alert
of access denied. though it works if put my local PC name. is there any other way to accomplish this? Many thanks!
Thanks and best regards, -- KFHi,
Base on my experience, personally I think solve this case the better method is through your help desk collect the new computer information because consider this: “some
could be in work group or admin$ disabled”, if there have more workgroup PC, it will always hardly to manage them though a purely technical method.
About the domain computer, you can refer the following thread I replayed solution, notice a message to users to connect IT department.
Security Warning Message
http://social.technet.microsoft.com/Forums/windowsserver/en-US/60c1a896-0996-4e88-ace9-8da2284883f7/security-warning-message?forum=winserverhyperv
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Exclude specific songs from factoring into auto calculated Album Rating?
I really like using the calculated (empty star) Album Rating system, however I was wondering if there was a way to exclude some songs on an album from being averaged into the Album Rating. My reasoning for this is that I don't want intros/outros/skits or bonus tracks to bring the overall rating of an album down (there are many albums in my library that drop down a star rating because of bonus tracks that I don't really like, but wish to keep a part of the album for collection purposes). Is there anyway to make this happen? Thanks.
You do have a very complex looking site and may need several tables in mysql to handle all that data. If you knew to phpmysql I would suggest taking a look at this tutorial it will help get you started in understanding how to $_GET info from a database and also how to $_POST data to a database. I am no expert just learning myself and I found this very helpful. This is the link http://www.adobe.com/devnet/dreamweaver/articles/first_dynamic_site_pt1.html
There are also many tutorials on Youtube to help build a CMS Content Management Site I would suggest the following: -
http://www.youtube.com/user/phpacademy
http://www.youtube.com/user/betterphp
http://www.youtube.com/user/flashbuilding
And many more on my channel here
http://www.youtube.com/user/Whisperingonthewind
CMS's are easier to maintain, add edit and delete content.
I have also recently bought a Book by David Powers Training from the Source very helpful.
Anyway hope you get it sorted. -
How to Write Path to Exclude Specific Folder From Scanning in Endpoint Antimalware policy
Dears,
I have configured endpoint protection antimalware policy to make scanning windows servers, and I have some specific folders which I need excluded from scanning because of they are critical folders, so, when I wants to excluded the folder, how do I write
the path to add the path to excluded filed? is this correct path
C:\MyFolder or there is s special path writing?
Thanks..If that's the folder you want to exclude then your doing fine. For more information see (List of Antimalware Policy Settings):
http://technet.microsoft.com/en-us/library/hh508785.aspx
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
ACS Tacacs+ aaa authorization commands
Hi,
I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
Many thanks
PatriceYes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
Setting Up and Managing Shared Profile Components
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
hth -
Hello Everyone,
We would like to implement a script to delete the offline files in the Client Side Cache (CSC) for a nominated user (on Windows 7 x64 enterprise).
I am aware that;
1. We can use a registry value to flush the entire CNC cache (for all users) next time the machine reboots.
2. If we delete the user's local profile it appears that Windows 7 also removes their content from the local CSC.
However, we would like to just delete the CSC content for a particular nominated user without having to delete their local user profile.
In our environment we have many users that share workstations but only use them occasionally. We don't use roaming profile so we would like to retain all the users' local profiles but still delete the CSC content for any users that haven't
logged on in a week.
Any ideas or info would be appreciated !
Thanks, MakesHi,
I don't think this is possible.
If you want to achieve it via script, I suggest you post it in official script forum for more professional help:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=scripting
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
Karen Hu
TechNet Community Support -
How to exclude FBA users from an audience
I have the following situation (SharePoint 2013):
I have an audience: internal users (rule is based on emailadress because internal users all have an email adress that ends the same)
I created a navigation button which should only be visible for 'internal users' so I audience it at 'internal users'. When I'm testing this with an AD account that does not have an internal emailadress (so is not in the 'internal users' audience), this is
working as I expected. The user does not see the navigation link/button
Now the problem is that when I log in as FBA user, I can still see the navigation button, even though the FBA user does not have an emailadress that meets the rule of the audience.
Any suggestion on how te make this work? And if its not possible, does anyone have a workaround?
Help is much appreciated!Hi,
if you already have the Local Net Users and if you want them to be used for other WLAN on thhe same WLC, then its simple..
For each LNU that you have configured edit it by mapping the WLAN to ALL WLAN, this will help you in getting the migration done with ease!!
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra
Maybe you are looking for
-
Import to a specific tablespace
Is there any method to import data to a specific tablespace? Scenario - have an exported dump of schemaA.tableA from databaseA - want to import above table as schemaB.tableB in tablespaceB[b] in databaseB
-
Plz helP me about the new FW (software) v4.0750.31...
plz help me i was update new FW v4.0750.31.2.1 but found too bugs in music player i cant save the preset and the sogs was download in memory always bad file when i play it. and the camera light is very little and not pure. plz I wanna the old version
-
Entry view and general ledger view
hi gurus, what is the difference between entry view and general ledger view in table level can any one pls help me thanks & regards, balaji.ch
-
Flash Builder 4.5 cannot run apps
Any idea what to do with that: Flash Builder cannot locate the required version of Adobe Flash Player. You might need to install the Flash Player or reinstall Flash Builder. Do you want to try to run your application with the current version?
-
Proxy authentication error on Win7
I used Itunes 11.0.2 on win7 until yesterday without problem. Yesterday I changed my proxy password on Windows and Itunes stop working on Internet. Itunes doesn't ask me more Proxy login mask.