PIX Command Authorization

I have cisco PIX 525. I want my junior engineer to restrict to show commands. I dont want him to configure access-list and anything else. He is only suppose to sh the running and other show commands.
I have made a user A and assign him with privilage 7. But when i log in with this user i was able to configure all things.
username A password muljoLmw8YN8dG2h encrypted privilege 7
I wana authenticate user locally and rest of all things local database. No external ACS.
kindly tell me how to configure Firewall for this thing.

Try using privilege 5 instead of 7. With 5 he should not be able to enter config mode, but do show run or show ver etc. but no configs privilege... try that.
Rgds
Jorge

Similar Messages

Pix command authorization problem

help required
i am trying to configure pix firewall command authorization using cisco
secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
i cant get it to work!
i have included the pix firewall configuration below and have included
screen shots of the acs configuration as attachments
as you can see i can authenticate ok but that is as far as i can go
as soon as i try and use the enable command authorization fails
i cant even enter a password
i have created two shell command authorization sets
one called admins which is configured to allow all commands
and one called restricted which restrics me to only a few commands
if i apply the admins authorization set to the group where the user
resides i can authenticate and authorize and i have access to all
commands but if i apply the restrictd authorization set i get the
problem depicted below
i would appreciate it if someone could take a look and give me
some pointers as to where i am going wrong
regards
melvyn brown
interface ethernet0
nameif outside
ip address 110.1.1.1 255.255.255.0
speed 100
duplex full
no shut
interface ethernet1
nameif inside
ip address 192.168.8.2 255.255.255.0
speed 100
duplex full
no shut
route inside 192.168.7.0 255.255.255.0 192.168.8.1
route inside 192.168.3.0 255.255.255.0 192.168.8.1
aaa-server ACS1 protocol tacacs+
aaa-server ACS1 host 192.168.7.2
key cisco123
domain-name acme.com
crypto key generate rsa modulus 1024
telnet 192.168.3.2 255.255.255.255 inside
ssh 192.168.3.2 255.255.255.255 inside
aaa authentication enable console ACS1
aaa authentication serial console ACS1
aaa authentication ssh console ACS1
aaa authentication telnet console ACS1
aaa authorization command ACS1
Username: fred
Password: **********
Type help or '?' for a list of available commands.
pixfirewall> en
Command authorization failed
pixfirewall> ?
clear   Reset functions
enable Turn on privileged commands
exit    Exit from the EXEC
help    Interactive help for commands
login   Log in as a particular user
logout Exit from the EXEC
ping    Send echo messages
quit    Exit from the EXEC
show    Show running system information

Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

ACS command Authorization on PIX Console

I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
ACS down, i wana to get console and access the device by using local username and password
but now after this configuration when i try to access the firewall via console, i m getting error of
command authorization fail.
I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
I have made the command authorization set in ACS and it is working fine for me,

kindly once again check my modified configuration,
I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem

Config commands authorization on ASA

Hi, is there a way to control the config commands with tacacs+ authorization ?
When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
In IOS there's the "aaa authorization config-commands", how to with ASA ?

Please check this link that explains about command authorization on ASA.
these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1
aaa authorization command authserver
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts

Command Authorization

In setting up command authorization I have a question:
The command aaa authorization commands (level) allows commands to be checked via the Shell Command Authorization Sets configured on the ACS server. For Pix the command is just "aaa authorization command" this checks all command levels. Why do you need to specify a level then on other devices such as a router? Why would you have to specify a level such as :
aaa authorization commands 15
For that matter if the command is specified with just level 15 won't it still check the Shell Command Authorization Set for the allowed commands?

Waseem, have a look at the following link:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
The best option is to turn on the following debugs on the router and then enable the appropriate commands in ACS (as sometimes router is sending strange characters like etc)
debug aaa authorization
debug tacacs
Regards
Farrukh

Command Authorization on ACS

Hi Guys,
its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
please help me on this.
Thanks

Hi ,
The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
Pix command,
username Test password cisco
username Test privilege 15
aaa-server TACACS protocol tacacs+
aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
Regards,
~JG
Please rate if that helps !

Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi

Command Authorization Config best practice using ACS

Hi
Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
Regards
V Vinodh.

Vinodh,
The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
Please check this link,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts

Command authorization error when using aaa cache

Hi,
I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
% tty2 Unknown authorization method 6 set for list command
The command is then always authorized against the tacacs server.
The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
Deleting the cache entry and using only the tacacs group the error message disappears.
Any suggestions?
Thanks.
Frank
======
config
======
aaa new-model
aaa group server tacacs+ group_tacacs
server 10.10.10.10
server 10.10.10.11
cache expiry 12
cache authorization profile admin_user
cache authentication profile admin_user
aaa authentication login default cache group_tacacs group group_tacacs local
aaa authentication enable default cache group_tacacs group group_tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default cache group_tacacs group group_tacacs local
aaa authorization commands 15 default cache group_tacacs group group_tacacs local
aaa accounting exec default start-stop group group_tacacs
aaa cache profile admin_user
profile admin no-auth
aaa session-id common
tacacs-server host 10.10.10.10 single-connection
tacacs-server host 10.10.10.11 single-connection
tacacs-server directed-request
tacacs-server key 7 <removed>
============
debug output
============
ap#
Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
ap#
Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
priv=15 vrf= (id=0)

Hi,
I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
Regards,
Vivek

ACS - Shell Command Authorization Sets

Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
Steve

Thanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve

Command Authorization in ACS

Hi,
Can anybody tell me how can I permit only ping command to a group in ACS. What is the actual statement that I want to add in command authorization sets.

Hi Prem,
Can you let me know how can i restrict a group from adding a route. I have the following configured on the ACS under shell authorization
configure ......permit terminal
interface ......permit fastethernet (permit Unmatched arg)
show............permit vlan
switchport......permit access &
permit vlan
With the above configuration iam still able to add a route to the config
Also i would like to know the wildcard to be used for enabling all the fastethernet or Ge ports
thanks in advance
Narayan

Command Authorization in ACS 5.0

Hi,
Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
OR
USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
Assigned specified commands to level 2
privilege exec level 2 undebug all
privilege exec all level 2 debug
The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
Also if i want to do shell command authorization set,how can i do it in ACS 5.0
Thanks,

You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.

Command authorization issue.

Hello.
I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
The shell command set that I'm using is a "permit unmatched commands".
Any idea?
Thanks.
Andrea

What you're experiencing is a known defect:
CSCtg38468 cat4k/IOS: banner exec failed with blank characters
Symptom:
%PARSE_RC-4-PRC_NON_COMPLIANCE:
The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
Conditions:
Problem happens, when AAA authorization is used together with TACACS+
Workaround:
Make sure there is no blank character at the begining of line in the banner message.
Problem Details: trying to configure banner exec with blank character at beginning of line failed.
This happens when configuring the banner exec via telnet/ssh !
When configuring the same banner exec via console-port, everything is fine.
Note the blank characters at beginning of each line. When removing those, banner exec works fine.
Again, this was working till IOS version 12.2(46)SG.
Beginning with 12.2(50)SG1 and up, the behaviour has changed.
~BR
Jatin Katyal
**Do rate helpful posts**

Cisco ACS command authorization sets

I need help on the following please.
1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
2. Does anyone know where I can read up on command authorizations sets for ACS ??
3. What is the debug command for CatOS to see cli output ?
Many thanks
Rod

Thanks for your info. I have solved my problem -
1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
Problem resolved.
Many thanks.

Nexus, command authorization using TACACS.

Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
Andrea

Hi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob...

PIX Command Authorization

Similar Messages

Maybe you are looking for