Restrict aaa access using command authorization windows acs3.6
i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
any help appreciated
On the router there's a:
aaa authorization config-commands
command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.
Similar Messages
-
3640 - AAA/AUTHOR: config command authorization not enabled
Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
I attach you the files with config and logs.
Thanks you in advance.Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik -
Restricting Wireless Access using ACS 3.3
We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
ErikHi,
On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
-Parm -
Restrict URL Access using location directive
I'm trying to restrict access to a URL using the location directive in Apache.
I want to allow access to "/analytics/saw.dll?WSDL" to everyone and restrict access to "/analytics/saw.dll?Answers" to certain IPs.
Putting the URLs in location directives doesnt seem to work. I believe the problem is the ? which is a wildcard.
<Location /analytics/saw.dll?WSDL>
Allow from all
</Location>
<Location /analytics/saw.dll?Answers>
Order Deny,Allow
Deny from all
Allow from 192.168.2.161
</Location>
Can anyone help?Hi,
1.
What about using an Authorization Scheme and then using Security of Page Attributes.
In fact it is schema of users, roles, and passwords.
2.
f?p=App:Page:Session:Request:Debug:ClearCache:itemNames:itemValues:PrinterFriendly
f?p=6000:6004:&SESSION.::NO:6003:MY_ITEM1,MY_ITEM2,MY_ITEM3:1234,,5678
This example:
* Runs page 6004 of application 6000 and use the current session ID
* Clears the current session's cache for items on page 6003
* Indicates debug information should be hidden (NO)
* Sets the value of MY_ITEM1 to 1234, sets the value of MY_ITEM2 to null
(indicated by the comma used as placeholder), and sets the value of MY_ITEM3 to 5678
- Into Column Attributes/Column Link/Link Text pick an icon.
- Select for Attributes/Column Link/Target “URL” for table Emp_Address and into URL field type:
javascript: popupURL('f?p=&APP_ID.: 6004:&SESSION…………');
You can use the value of any Item. Then in the URL link page check that item.
Moreover, you can use f?p=&APP_ID.: 6004:&SESSION…..My_Item:#ReportColumnName#.......
I hope this would help.
Konstantin -
Restricting Internet access using ARD
I am trying to restrict students for accessing the internet using ARD. Students accounts are set using Workgroup Manager. Under preferences, I did not allow Dock.app or Safari in the list of aproved applications. I also only selected applications I allow them to use to be in the dock and did not allow them to merge their dock.
One group still has Safari listed in the dock.
The others can still get to the internet using dashboard and going to weather settings.
How can I eliminate this access.One option is to send the unix command:
ipfw add 2005 deny tcp from any to any 80 out xmit en0
This will block the standard internet port. If the computers are restarted then it will go back to normal. To get rid of the rule without actually restarting use this command.
ipfw delete 2005
Note: They have to be done with the root (or admin) user.
PowerBook G4 15in, Xserve, G5 Dual 2ghz, Mac OS X (10.4.3)
PowerBook G4 15in, Xserve, G5 Dual 2ghz, Mac OS X (10.4.3) -
How to access using VNC from Windows XP to Mac G5 (OsX 10.4)
Hi, I read all the technical documentation about the compatibility to open from a Mac Machine a Windows Server using the VNC.
My problem is different. I have a Mac Server, and I want to see it using my Windows Laptop.
Do you think is it possible? What is the software I can use to obtain the full control how the Apple Remote Desktop?
Thanks a lot for your help.
Salvatore"Do you think is it possible?"
Yes
"What is the software I can use to obtain the full control"
Turn on VNC access in the Remote Desktop section of the Sharing System Preferences, then use any Windows VNC client.
(12047) -
Urgent: Portal access using SSO with Windows NT
Dear all,
I'm planning to implement SSO for Portal with Window NT authentication.
Can anybody explain me the steps to do...
If the internal users logs in NT domain say..("ABC"). he/she should be authenticated to Portal without giving logon credentials.. automatically they needs to enter into portal.
I'm using NW'04 SR1(EP6.0 SP9) with AIX 5.2/oracle
Microsoft ADS(LDAP)
Pl explain me...
Appreciated with reward points...
regards
PRadeepHi,
in order to apply windows SSO you will need to install the IIS proxy module in front of your portal, this module knows how to handle users authentication using the NTLM/kerberos features MS ADS supports.
the specific procedure for implementing it can be found in the documentation/help. i have managed to find it in the EP6 sp2 security guide but i think it is the same for the EP6 SP9 as well. so just go to this link:
<u><b>https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ep/d-f/ep 6.0 sp2 security guide.pdf</b></u>
keep in mind that you will need to be logged on to SDN. -
Restricting Wireless Access using BT Home Hub
Hi
I am trying to set up my BT home hub so that my daughter can only have limited access (fed up with her being on FB 24/7!)
I thought I had done by using the set up access mode, but I have a feeling that this is not working all the time. Has any one else managed to successfully do this?
Thank you for reading and would be grateful of any advice as this is driving us to the brink!Did you follow the intructions on this site?
http://bt.custhelp.com/app/answers/detail/a_id/11364/~/what-is-bt-access-control-and-how-do-i-set-it...
Are you sure that she is not simply bypassing it via the hub manager?
You could change the hub manager password.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
ACS Shell Command Authorization Set + restricted Access
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi ,
I have tried to Create a restricted Access Shell Command Authorization Set on ACS as told on the Cisco Url
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
After I applied the same on a User Group I found the users on the group have complete access after typing the conf t on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and let me know any thing need to be done specially from My Side
Thanks in Advance
Regards
Vineeth/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Jatin ,
first of all Thank you very much . It startted working after aaa authorization config-commands
here I was trying to achive one specfic thing .
I want to stop the following commands on ACS “switchport trunk allowed vlan 103” . I only want allow “add” after “vlan” and block rest all arguments
But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
Thanks and Regards
Vineeth -
Hi Guys,
its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
please help me on this.
ThanksHi ,
The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
Pix command,
username Test password cisco
username Test privilege 15
aaa-server TACACS protocol tacacs+
aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
Regards,
~JG
Please rate if that helps ! -
Command authorization issue.
Hello.
I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
The shell command set that I'm using is a "permit unmatched commands".
Any idea?
Thanks.
AndreaWhat you're experiencing is a known defect:
CSCtg38468 cat4k/IOS: banner exec failed with blank characters
Symptom:
%PARSE_RC-4-PRC_NON_COMPLIANCE:
The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
Conditions:
Problem happens, when AAA authorization is used together with TACACS+
Workaround:
Make sure there is no blank character at the begining of line in the banner message.
Problem Details: trying to configure banner exec with blank character at beginning of line failed.
This happens when configuring the banner exec via telnet/ssh !
When configuring the same banner exec via console-port, everything is fine.
Note the blank characters at beginning of each line. When removing those, banner exec works fine.
Again, this was working till IOS version 12.2(46)SG.
Beginning with 12.2(50)SG1 and up, the behaviour has changed.
~BR
Jatin Katyal
**Do rate helpful posts** -
ACS command authorization report in conf t mode
Hi, this is probably a quick one, but I couldnt find a solution so far.
We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
My guess is that I allow all commands with that and thus no authorization is needed.
Any idea?
Thanks
Chris -
ACS 3.3 Config Command Authorization
Hi,
I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
The debug says:
1w2d: AAA/AUTHOR: config command authorization not enabled
How can I enable this and how/where can I configure it on the ACS?
Thanks in advanceOn ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
aaa authorization config-commands
Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out. -
Command authorization error when using aaa cache
Hi,
I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
% tty2 Unknown authorization method 6 set for list command
The command is then always authorized against the tacacs server.
The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
Deleting the cache entry and using only the tacacs group the error message disappears.
Any suggestions?
Thanks.
Frank
======
config
======
aaa new-model
aaa group server tacacs+ group_tacacs
server 10.10.10.10
server 10.10.10.11
cache expiry 12
cache authorization profile admin_user
cache authentication profile admin_user
aaa authentication login default cache group_tacacs group group_tacacs local
aaa authentication enable default cache group_tacacs group group_tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default cache group_tacacs group group_tacacs local
aaa authorization commands 15 default cache group_tacacs group group_tacacs local
aaa accounting exec default start-stop group group_tacacs
aaa cache profile admin_user
profile admin no-auth
aaa session-id common
tacacs-server host 10.10.10.10 single-connection
tacacs-server host 10.10.10.11 single-connection
tacacs-server directed-request
tacacs-server key 7 <removed>
============
debug output
============
ap#
Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
ap#
Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
priv=15 vrf= (id=0)Hi,
I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
Regards,
Vivek -
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK
Maybe you are looking for
-
CAN WE COMBINE THE VALUE OF 2 CHARACTERSTIC e.g if we have X & Y characterstic and these have value ABC & DEF can we have a new characterstic in the Query As Z and value as ABCDEF
-
Time machine died!! - plz help
My time machine has died. No light. Thought it was the fuse which I have replaced. What are my options? Brought from Apple 1TB Feb 2009. Have I lost my backups? please help Ash
-
Printer settings menu does not always change when switching printers
I am running OS 10.3.9 and also seen this issue on a 10.4 machine. When switching from one printer to another the printer options drop down menu does not always transfer to the correct menu for the newly selected printer. It stays at the menu for the
-
Mac OS slow performance after bootcamp installation
So, I've been searching around here and on other forums, but I haven't found a solution yet to this problem and wanted to see if others knew of it. The problem is that the performance on Mac OS seems to have degraded when I have bootcamp (with WIndow
-
Inverse Normal Distribution function SAP Bex Query
Hi All In BEx Query designer there are different aggregation types available i.e. min, max,average, standard deviation etc. for formula or calculated key figure.There are not any additional statistical functions such normal distribution, inverse no