Restrict aaa access using command authorization windows acs3.6

Similar Messages

• 3640 - AAA/AUTHOR: config command authorization not enabled

  Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
  I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
  I attach you the files with config and logs.
  Thanks you in advance.

  Yep! I'm really running 12.1!
  I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
  Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
  sh run | i aaa
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication banner ^C
  aaa authentication fail-message ^C
  aaa authentication login My-RADIUS group radius local
  aaa accounting exec My-RADIUS start-stop group radius
  aaa session-id common
  Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
  Let me know what other thoughts you may have.
  Thanks
  Nik

• Restricting Wireless Access using ACS 3.3

  We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
  Erik

  Hi,
  On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  -Parm

• Restrict URL Access using location directive

  I'm trying to restrict access to a URL using the location directive in Apache.
  I want to allow access to "/analytics/saw.dll?WSDL" to everyone and restrict access to "/analytics/saw.dll?Answers" to certain IPs.
  Putting the URLs in location directives doesnt seem to work. I believe the problem is the ? which is a wildcard.
  <Location /analytics/saw.dll?WSDL>
  Allow from all
  </Location>
  <Location /analytics/saw.dll?Answers>
  Order Deny,Allow
  Deny from all
  Allow from 192.168.2.161
  </Location>
  Can anyone help?

  Hi,
  1.
  What about using an Authorization Scheme and then using Security of Page Attributes.
  In fact it is schema of users, roles, and passwords.
  2.
  f?p=App:Page:Session:Request:Debug:ClearCache:itemNames:itemValues:PrinterFriendly
  f?p=6000:6004:&SESSION.::NO:6003:MY_ITEM1,MY_ITEM2,MY_ITEM3:1234,,5678
  This example:
  * Runs page 6004 of application 6000 and use the current session ID
  * Clears the current session's cache for items on page 6003
  * Indicates debug information should be hidden (NO)
  * Sets the value of MY_ITEM1 to 1234, sets the value of MY_ITEM2 to null
  (indicated by the comma used as placeholder), and sets the value of MY_ITEM3 to 5678
  - Into Column Attributes/Column Link/Link Text pick an icon.
  - Select for Attributes/Column Link/Target “URL” for table Emp_Address and into URL field type:
  javascript: popupURL('f?p=&APP_ID.: 6004:&SESSION…………');
  You can use the value of any Item. Then in the URL link page check that item.
  Moreover, you can use f?p=&APP_ID.: 6004:&SESSION…..My_Item:#ReportColumnName#.......
  I hope this would help.
  Konstantin

• Restricting Internet access using ARD

  I am trying to restrict students for accessing the internet using ARD. Students accounts are set using Workgroup Manager. Under preferences, I did not allow Dock.app or Safari in the list of aproved applications. I also only selected applications I allow them to use to be in the dock and did not allow them to merge their dock.
  One group still has Safari listed in the dock.
  The others can still get to the internet using dashboard and going to weather settings.
  How can I eliminate this access.

  One option is to send the unix command:
  ipfw add 2005 deny tcp from any to any 80 out xmit en0
  This will block the standard internet port. If the computers are restarted then it will go back to normal. To get rid of the rule without actually restarting use this command.
  ipfw delete 2005
  Note: They have to be done with the root (or admin) user.
  PowerBook G4 15in, Xserve, G5 Dual 2ghz,   Mac OS X (10.4.3)  
  PowerBook G4 15in, Xserve, G5 Dual 2ghz,   Mac OS X (10.4.3)  

• How to access using VNC from Windows XP to Mac G5 (OsX 10.4)

  Hi, I read all the technical documentation about the compatibility to open from a Mac Machine a Windows Server using the VNC.
  My problem is different. I have a Mac Server, and I want to see it using my Windows Laptop.
  Do you think is it possible? What is the software I can use to obtain the full control how the Apple Remote Desktop?
  Thanks a lot for your help.
  Salvatore

  "Do you think is it possible?"
  Yes
  "What is the software I can use to obtain the full control"
  Turn on VNC access in the Remote Desktop section of the Sharing System Preferences, then use any Windows VNC client.
  (12047)

• Urgent: Portal access using SSO with Windows NT

  Dear all,
  I'm planning to implement SSO for Portal with Window NT authentication.
  Can anybody explain me the steps to do...
  If the internal users logs in NT domain say..("ABC"). he/she should be authenticated to Portal without giving logon credentials.. automatically they needs to enter into portal.
  I'm using NW'04 SR1(EP6.0 SP9) with AIX 5.2/oracle
  Microsoft ADS(LDAP)
  Pl explain me...
  Appreciated with reward points...
  regards
  PRadeep

  Hi,
  in order to apply windows SSO you will need to install the IIS proxy module in front of your portal, this module knows how to handle users authentication using the NTLM/kerberos features MS ADS supports.
  the specific procedure for implementing it can be found in the documentation/help. i have managed to find it in the EP6 sp2 security guide but i think it is the same for the EP6 SP9 as well. so just go to this link:
  <u><b>https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ep/d-f/ep 6.0 sp2 security guide.pdf</b></u>
  keep in mind that you will need to be logged on to SDN.

• Restricting Wireless Access using BT Home Hub

  Hi
  I am trying to set up my BT home hub so that my daughter can only have limited access (fed up with her being on FB 24/7!)
  I thought I had done by using the set up access mode, but I have a feeling that this is not working all the time.  Has any one else managed to successfully do this? 
  Thank you for reading and would be grateful of any advice as this is driving us to the brink!

  Did you follow the intructions on this site?
  http://bt.custhelp.com/app/answers/detail/a_id/113​64/~/what-is-bt-access-control-and-how-do-i-set-it​...
  Are you sure that she is not simply bypassing it via the hub manager?
  You could change the hub manager password.
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• Command Authorization on ACS

  Hi Guys,
  its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
  So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
  please help me on this.
  Thanks

  Hi ,
  The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
  Pix command,
  username Test password cisco
  username Test privilege 15
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
  Regards,
  ~JG
  Please rate if that helps !

• Command authorization issue.

  Hello.
  I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
  The shell command set that I'm using is a "permit unmatched commands".
  Any idea?
  Thanks.
  Andrea

  What you're experiencing is a known defect:
  CSCtg38468    cat4k/IOS: banner exec failed with blank characters
  Symptom:
  %PARSE_RC-4-PRC_NON_COMPLIANCE:
  The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
  Conditions:
  Problem happens, when AAA authorization is used together with TACACS+
  Workaround:
  Make sure there is no blank character at the begining of line in the banner message.
  Problem Details: trying to configure banner exec with blank character at beginning of line failed.
  This happens when configuring the banner exec via telnet/ssh !
  When configuring the same banner exec via console-port, everything is fine.
  Note the blank characters at beginning of each line. When removing those, banner exec works fine.
  Again, this was working till IOS version 12.2(46)SG.
  Beginning with 12.2(50)SG1 and up, the behaviour has changed.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS command authorization report in conf t mode

  Hi, this is probably a quick one, but I couldnt find a solution so far.
  We are using command authorization via ACS and are thus able to see (in case of any issues) who has entered which commands at which time on which device. But this only works until someone enters conf t mode. After that I am not getting log entries in the ACS (Version 5). I can see all show commands and who entered the configuration mode, but nothing after that. Config snippet:
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication login default group tacacs+ local line enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local 
  aaa authorization commands 1 default group tacacs+ local 
  aaa authorization commands 15 default group tacacs+ local 
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  My guess is that I allow all commands with that and thus no authorization is needed. 
  Any idea?
  Thanks
  Chris

• ACS 3.3 Config Command Authorization

  Hi,
  I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
  The debug says:
  1w2d: AAA/AUTHOR: config command authorization not enabled
  How can I enable this and how/where can I configure it on the ACS?
  Thanks in advance

  On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
  On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
  aaa authorization config-commands
  Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

• Command authorization error when using aaa cache

  Hi,
  I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
  % tty2 Unknown authorization method 6 set for list command
  The command is then always authorized against the tacacs server.
  The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
  I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
  Deleting the cache entry and using only the tacacs group the error message disappears.
  Any suggestions?
  Thanks.
  Frank
  ======
  config
  ======
  aaa new-model
  aaa group server tacacs+ group_tacacs
  server 10.10.10.10
  server 10.10.10.11
  cache expiry 12
  cache authorization profile admin_user
  cache authentication profile admin_user
  aaa authentication login default cache group_tacacs group group_tacacs local
  aaa authentication enable default cache group_tacacs group group_tacacs enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default cache group_tacacs group group_tacacs local
  aaa authorization commands 15 default cache group_tacacs group group_tacacs local
  aaa accounting exec default start-stop group group_tacacs
  aaa cache profile admin_user
  profile admin no-auth
  aaa session-id common
  tacacs-server host 10.10.10.10 single-connection
  tacacs-server host 10.10.10.11 single-connection
  tacacs-server directed-request
  tacacs-server key 7 <removed>
  ============
  debug output
  ============
  ap#
  Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
  Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
  Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
  Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
  Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
  ap#
  Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
  Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
  Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
  Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
  Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
  priv=15 vrf= (id=0)

  Hi,
  I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
  Regards,
  Vivek

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK