Shell Command Auth Question

I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:
"permit counters interface *"?
TIA

I'm assuming you are using CSACS (not indicated) for defining your command sets.
e.g.:
"Deny" radio button selected (i.e.: only listed commands will be authorized).
Command List:
clear
disable
enable
show
"Clear" command argument(s) set as follows:
(a) Deselect the "Permit Unmatched Args" checkbox.
(b) Enter the following argument(s) into the list:
permit counters
... or, to be more specific:
permit counters Ethernet 0
permit counters FastEthernet 0
This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).
Notes:
(1) Command arguments are case sensitive and may differ from how they are entered at the CLI.
(2) A sniffer is helpful in determining proper case.
(3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

Similar Messages

  • ACS 4.0, only 1 Shell Command auth. set possible

    Hi all,
    I am wondering if this is a "hidden feature" of the evaluation software or a bug...
    I am currently running Cisco Acs server v.4.0 (evaluatie version) Win2k3 platform; with authentication, authorization and accouting.
    In a nutshell I have the following setup:
    - group1 uses: Shell Command Authorization Set1
    - group2 uses: Shell Command Authorization Set2
    Problem: Users in group2 are somehow authorized against the commands listed in Shell Auth. Comm. set1 instead of the configured Shell Auth. Comm. set2
    Is it possible that with the evaluation software only one Shell Command Authorization Set is allowed to be active? Does anyone know?
    Many thx
    Sander

    Problem resolved by renaming authorization sets and reloading ACS......
    thx Sander

  • Show config not working in ACS "Shell Command Auth set"

    To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)

    Hi,
    I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
    Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
    ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

  • Shell commands in applescript noob

    Hi all this is my first post in these forums and I come seeking help with a certain script I'm writing for my current college job. The purpose of the script is to install creative cloud from a server and this is as far as I've got. First I can get as far as setting the correct directory in the server by doing:
    do script "cd /Volumes/applications/Mac/'Adobe Creative Cloud'/'Enterprise - enduser'/Build"
    now when I press run the terminal screen pops up just fine with no errors in the right directory. However I've been reading up that to do other commands in the same shell I must do do shell script. When doing this however terminal doesn't do...anything. The reason why I was trying this is because my next command would be initiating the install which is the command:
    "installer -verbose -pkg 'enterprise_Install.pkg' -target /" with adminitrator privilages
    Now my question is how would formulate this within applescript? Thanks.

    do shell script "cd /Volumes/applications/Mac/'Adobe Creative Cloud'/'Enterprise - enduser'/Build ;  installer -verbose -pkg 'enterprise_Install.pkg' -target / with administrator privilages"
    You got the double quote in the wrong place.
    do shell script "cd /Volumes/applications/Mac/'Adobe Creative Cloud'/'Enterprise - enduser'/Build ;  installer -verbose -pkg 'enterprise_Install.pkg' -target / " with administrator privilages
    It is easier to diagnose problems with debug information. I suggest adding log statements to your script to see what is going on.  Here is an example.
        Author: rccharles
        For testing, run in the Script Editor.
          1) Click on the Event Log tab to see the output from the log statement
          2) Click on Run
        For running shell commands see:
        http://developer.apple.com/mac/library/technotes/tn2002/tn2065.html
    on run
        -- Write a message into the event log.
        log "  --- Starting on " & ((current date) as string) & " --- "
        --  debug lines
        set unixDesktopPath to POSIX path of "/System/Library/User Template/"
        log "unixDesktopPath = " & unixDesktopPath
        set quotedUnixDesktopPath to quoted form of unixDesktopPath
        log "quoted form is " & quotedUnixDesktopPath
        try
            set fromUnix to do shell script "sudo ls -l  " & quotedUnixDesktopPath with administrator privileges
            display dialog "ls -l of " & quotedUnixDesktopPath & return & fromUnix
        on error errMsg
            log "ls -l error..." & errMsg
        end try
    end run

  • Incorporate shell commands from forms

    How to incorporate unix shell commands(eg. ls, cp) from forms9i?
    In Windows environment,it is possible by issuing
    host command(eg. HOST('DIR >k.lis') -- it moves the list of files from Oracle9i/forms90 path to a file k.lis).
    The same thing I have to do in a unix environment.

    I think you have the wrong forum. This forum has to do
    with the UIX technology inside of JDeveloper. Your
    question seems to have to do with UNIX or forms. I can't
    tell which.

  • ACS 5.3 and Command Auth

    I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 
    I still get no joy.   Also Cisco changed the GUI and the way command sets are built
    (http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
    Any help would be appreciated
    Patrick Connor

    Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.
    I created 2 command sets
    Pri-15  has only the permit all command not in the table below check box checked
    Pri-1  has a single permit "show"  with no arguments
    the Auth rule has 2 rules
    rule 1  identity group "network Admin"  any any any pri-15
    rule 2 identity group "network monitor" any any any pri-1
    service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98
    the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 
    So it looks like the command set is not being recognized.  but I cannot see why?
    Thanks,
    Pat 

  • Does XI support FTP over SSL with Command AUTH TLS??

    Hi All,
    Can we change Command AUTH TLS to AUTH SSL in the Command Order of receiver FTP adapter when you select FTPS (FTP using SSL/TLS) for Controal and Data Connection??
    We are able to transfer business documents to bank's FTP server (Following RFC 2228 standards) using WS FTP Pro (I think follows RFC 959 and 1123 standards) which using AUTH SSL in Command order.
    We did go through SAP note 821267 (FAQ for XI 3.0 / PI 7.0 File Adapter)...question number 33 address about the "AUTH TLS" command. But we not getting the same error. We get different as in this forum:
    Re: Error: Message processing failed: FTPEx: PBSZ=0
    Can someone please confirm if this is the issue with FTP RFC standarads?? Or can we coustomize FTPS adapter to send AUTH SSL command??
    Thank you,
    Indrasena Janga

    Dear Andy,
    I am also looking for the same information.
    Could you please share with ,if u have got anything related....
    Hi Experts,
    Pls share your exp with us if u have any....
    Regards,
    Srinivas

  • Run a shell command using Pl/Sql

    hi all
    i wonder if anyone knows a way to run a shell command using pl/sql
    other than java stored procedure
    as it seems not to be working in my case
    thanx in advance,
    Rasha

    ofcourse not
    i sent it once then i've got disconnected from interent then i reconnected
    and resend my question so it was sent twice
    now i hope you can answer my question !!!
    Do you really think when asking twice or more often you will get a quicker answer?

  • LabView equivalent to running batch files using the "shell" command (VisualBasic)

    I'm converting a VisualBasic app to LabView and am having trouble figuring out how to run a batch file with LabView.
    The VB code that I'm trying to replicate is:
    'UNLOAD RTX DRIVERS
    Dim ProcessId As Long
    ProcessId = Shell(App.Path + "\UnloadReloadRTX.bat", vbNormalFocus)
    Wait 400
    I haven't found a LabView equivalent to the Shell command. Any suggestions will be appreciated.
    thanks,
    Todd

    It seems as if this question pops up every week. Use the System Exec.vi found under Funtions - Communications palette. It is the equivalent of Shell.
    - tbob
    Inventor of the WORM Global

  • Shell command - making Director continue whilst shell takes place

    Hi
    a quick question on Shelling -
    on a pc if i use Buddy API to Shell a command or run a bat file then i can have the Director app continue whilst the utility that I called takes place.
    However, that function doesn't work on the mac
    so i use Valentin Schmidt's shell.xtra
    which is great, and also seems to have a Callback function so I'd imagine that it allows for things to continue whilst the shell command takes place.
    But it doesn't seem to at least not when I try to create a disk image with the hdiutil command
    eg.
    tscript="echo -n $pw | hdiutil create -srcfolder '$src' -encryption -stdinpass -fs HFS+ -volname '$imagename' '$destimage'"
    shell_cmd(tscript)
    Since creating a disk image can take a while I'd rather Director continue and then I can at least monitor the size of the image as its created. Or let the user get on with using the app.
    At the moment Director is just frozen and if the image is large enough (eg 4GB) then it freezes entirely and needs a force quit.
    Has anyone had any experience of this?
    Presumably another option might be to write a script with the appropriate extension (like a bat file in Windows) and then open it with the open... with... command (beacuse then its running outside of Director) but I thought I'd try the neater method first.
    Thanks

    Hi Mike
    yes, asynchronous is what I'm after!
    unfortunately that asynch cmd (i've just looked at the windows readme and its called shell_cmd_thread) doesn't seem to be available in the Mac version. (v05, ie for Dir 11, which is I think the latest)
    all i get (according to the readme) is
    INTERFACE
    *shell_cmd string, *
    *shell_cmd_list string
    -- Utilities for path conversion
    *shell_hfs2posix string
    *shell_posix2hfs string
    He doesn't list it as a difference to the Win version but I've tried shell_cmd_asynch and I've tried shell_cmd_thread and that handler isn't defined on the mac.
    Thanks for the tip anyway. i will go down the batch file route, whatever that may be on a mac...

  • Executing a shell command

    Hi,
    I'm new hier and have a short question. How do I execute a shell command from Java code?
    Have a nice day and lot of fun
    Yury

    Search the forum. This is explained well in other threads

  • How to append linux shell command output to MariaDB?

    That link gave me an idea, I can create an .sql template file with the "insert" query, dump the shell command output to a text file (>), then use "grep" and "sed" to append the desired parts of the command's output file to that .sql file and then execute the .sql file. What do you think?

    I haven't done this myself, but it is probably something along the lines of the answer provided in this link:
    http://stackoverflow.com/questions/3900496/using-shell-script-to-insert-data-into-remote-mysql-datab...
    

  • IS there an easy way to execute a shell command and capture its output...

    From an application? I am thinking of using fork and then waiting for the PID to finish and write the output to a file which I then read, but this seems clunky. Also there are big warnings about frameworks getting hosed if you use fork, although the "Forked" process will exec the shell command and the one that gets the PID the original process might be 'safe' from this framework corruption. I am not certain of this, it is just a guess.
    If there was something like a process class where I could specify the executable and parameters, and read from it's std out until the process completed, that would be better. Or even get a callback when the process exited and an asynchronous callback for each line of data it produced.

    That was just in response to OrangeKay implied accusation that I was some kind of hard-core Microsoft programmer that sneered at apple programmers.
    You may want to book mark this, I will go over a brief history which should clear a lot of things up, about me, and about what I am doing.
    Lets turn the clock back to 1998: I graduate from a university with a BS in Computer science. I had been interning at a local defense contractor writing missile testing software. This was on a proprietary hardware and so there was no "Microsoft" involved. At this point I think Bill Gates = Satan. Microsoft = Kingdom of Evil.
    I get a job as a video game programmer. I write code from the Playstation, then the Playstation 2 and Gamecube. I do this for several years and again I have zero interest / knowledge of the Microsoft world beyond it being the OS which I am forced to use to play my games on. I had fought this by trying to use OS Warp and other things, but eventually since I mainly had a PC for games I had to get a windows OS, the first being NT 3.51 and then Win98 cause NT4.0 didn't support past directx 3 and everyone was using directX 5 or 6 (I do not remember).
    As video game companies go, they do not last. Everyone wants to write video games, anyone with some cash wants to start a company. 1 in 1000 will make it 5 years. Needless to say, as our company began to tank, I got laid off, along with my entire team. I have cash in the bank, no big deal, right?
    Well the economy started to suck, video game developers were closing down like crazy so the market was saturated with x-video game developers. 2 Years go by, no job, and almost no money. Then I get a call from some guy who wants me to come for an interview about 75 miles away. It is in a place I do not want to go. So they interview me, and ask me a bunch of general programming questions.
    I leave the place, and by the time I get home there is a message on my machine asking me if I would take the job at a ridiculously high salary (I live in an area where the cost of living is very low). Well I am about out of money and its a job offer with a huge salary, so I take it.
    I get there and guess what? I get to work on this "agent" that runs on windows boxes. I have NO IDEA how to program on windows. Windows is evil, why would I want to taint myself with this vile Microsoft APIs? I really have no choice, I have to learn how to develop on windows. I get to use visual studio 6, which I do not understand because I used the Borland compilers (Borland != Microsoft).
    Well I start to slug through it all and get familiar with MSDN and CodeProject and CodeGuru. As the years pass, I begining applicate the examples and detailed documentation that MSDN has. I have a start page on MSDN which covers every category of operation which will take you through a tree of choices and lead you to the exact area related API calls you will need to use to do whatever you want. Now I do not think MS = Evil anymore. I switch to DevStudio 2005 which is really nice. The debugging, IDE, and everything is great.
    Now the other half of this application resides on a server. That server is a Linux box, and the server app is written in Java. My stuff is still C++.
    One day, I get a request, and a eMac with 10.4 PPC to make a Mac version. Now I am at the point of Mac programming as I was with Windows when I started. I didn't know anything about it. I was looking for CodeWarrior cause I used that in the past, but alas, CodeWarrior is no more. I get XCode. I see all sorts of options to make a project. BSD project, Carbon, Cocoa, etc... What the heck any of these. I can guess the BSD one is very basic, but I do not understand Carbon vs Cocoa.
    So what do I do? I make a basic carbon app and make a basic Cocoa app. The carbon app looks like some kind of C++ framework. The Cocoa app? "Is this another language like Java or C#? It doesn't look like a C++ language."
    Guess which choice I make. Carbon. I struggle through this looking at the docs, posting on CodeGuru and whatnot until someone finally tells me about these forums and warns me about how unfriendly people are. So I make an account and start asking questions. I eventually get my app to be multi-platform to run on windows and Mac by using some API abstractions which are easy to do since I had abstracted the Windows API by my own class wrappers.
    I ask a lot of questions, very few are ever answered because I am not asking about simple things, like making windows and how to get button clicks and that stuff. I am asking stuff like, "How do you change the DNS? or How do I know when a user is about to log out?" Currently on my side list as I type this, I have 27 unresolved questions. I probably found workaround for most of them, or figured it out eventually.
    On this forum mostly people are helpful when the do respond, except for OrangeKay. He definitely has a chip on his shoulder.
    Over the past few years my Opinion of MS has improved greatly while my opinion of Macs (from the programmer's point of view) has dropped considerably. XCode still isn't as good as VS6 which is like 15 years old, never mind Dev studio 2005 or 2008. The documentation is scattered, not easy to find, occasionally wrong, or simply missing. The examples may not even compile or contain non-existent functions. It is unbelievable how bad it is.
    If Steve Jobbs wants to really get a large coder population he ought to spend some of those billions (or is it trillions) of dollars on a team that will re-write the current documentation in a correct, easy to understand, with full examples, arranged in a logical manner for everyone to use. He should say, "See MSDN online? I want something like that, only better, it has to be MUCH better." Then he should say to the XCode team, "Look at DevStudio 2008. XCode should do EVERYTHING that does. Once that is done, IMPROVE XCode even more to make 2008 look like a joke."
    To bad the Developer aspect of the "Apple Experience" has not gotten "End User" treatment. Then it would be a joy to develop on Macs.
    So here I am asking for help on certain things. You wonder why I do not use Cocoa. Maybe I should, maybe I shouldn't. My first look didn't look promising, and a quick look at the docs is all about GUI's. My app has NO GUI. Again, Cocoa? Maybe it will still work, but the examples and stuff I see are all about GUIs.
    When I get time, I will look at cocoa even further. MFC on windows is MOSTLY about GUI stuff, but there is a small section of it that does not deal with GUIs. CString is a great MFC class. I had to get rid of it though cause Mac's do not have a similar class. I use CStdString which is a platform agnostic CString replacement.
    I hope you are all a little more enlightened. BTW my Application which runs on Mac's and PCs on no less then 3 MILLION Machines has not crashed ONCE in the past 2 years. There have been bugs, but nothing that crashed it. The bugs were mostly unforeseen situations, like what if the guy has 15 network adapters that are all LIVE? I didn't plan for that, there were complications, the server got some strange data, but it didn't crash (My app, not the server. It crashes on occasion still). Are there bugs in my code? I am sure there are, but I do not know of any, because if I did, it would be fixed.

  • Shell Command Authorization Sets for device using NDGs??

    Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
    This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
    I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
    I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
    - Thanks

    I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610
    AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
    You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
    You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
    Regards
    Farrukh

  • Shell command line

    I am a pc programmer. What is the shell command for listing all of the files in the hard drive on by size order and piping them to a log file (or, in finder, how can I list all of the files in the hard drive by size order)?

    du |sort -nr > ~/desktop/sort.txt
    will put the list on the desktop
    It will list everything starting in the directory you are in.
    There are many ways to do this.
    for other options:
    man du
    man sort
    man ls
    Also for questions like this I suggest the Unix forum here:
    http://discussions.apple.com/forum.jspa?forumID=735

Maybe you are looking for