Shell Command Authorization Sets for device using NDGs??

Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
- Thanks

I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610
AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
Regards
Farrukh

Similar Messages

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • How to enable "Shell Command Authorization Sets"

    Hi there
    I use aaa over tacacs to verfiy user from ms active directory.
    I configured a new "Shell Command Authorization Set" see the attachment for details.
    But this does not work. So I just want to test whether the use of a command is working or not.
    You can see in the attached file I tried something with "show" command.
    But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.
    Why does this not work?
    Thanx for help
    bb

    Hi BB,
    This is what you need on IOS device,
    Router(config)# username [username] password [password]
    tacacs-server host [ip]
    tacacs-server key [key]
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization config-commands
    On acs bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Rest all seems to be ok.
    ~JG
    Please rate if that helps

  • ACS - Shell Command Authorization Sets

    Hi,
    I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
    Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
    permit port-security
    permit mac address-table'
    I've also ticked 'Permit unmatched args'
    At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
    Test Timed out for service: CSAdmin
    Test Timed out for service: CSAuth
    Test Timed out for service: CSDbSync
    Test Timed out for service: CSLog
    I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
    Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
    Thanks!!
    Steve

    Thanks for your reply!
    there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
    I am using ACS v 4.1.
    While I receive the service messages and also when they go away - I always have the authorisation problem.
    Thanks
    Steve

  • ACS Shell Command Authorizations Set

    I have Cisco ACS Server V4.0
    In the shell Command Authorization Set I configure a restrict Access.
    In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
    Why This?

    I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

  • Wildcard mask in Shell Command Authorization Set?

    Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
    For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
    Thanks

    Sure. Just tested this on my ACS 3.2 server with the following config:
    AAA client:
    aaa new-model
    aaa authentication login default tacacs
    aaa authorization commands 1 default group tacacs
    ACS Shell Command Set:
    Unmatched Commands = Deny
    Command = show
    Permit unmatched args = no
    args = permit ip *
    This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
    Hope that helps.

  • ACS Shell Command Authorization Set + restricted Access

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi  ,
    I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
    Thanks in Advance
    Regards
    Vineeth

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi Jatin ,
    first of all Thank you very much . It startted working after aaa authorization config-commands
    here I was trying to achive one  specfic  thing .
    I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
    But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
    Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
    Thanks and Regards
    Vineeth

  • Shell Command Authorization Sets ACS

    hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    but still all my user  can use all the commands
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R3
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login milista group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    multilink bundle-name authenticated
    username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
    archive
    log config
    hidekeys
    interface FastEthernet0/0
    ip address 192.168.20.1 255.255.255.0
    duplex auto
    speed auto
    interface Serial0/0
    no ip address
    shutdown
    clock rate 2000000
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface Serial0/1
    ip address 20.20.20.2 255.255.255.252
    clock rate 2000000
    interface Serial0/2
    no ip address
    shutdown
    clock rate 2000000
    interface Serial0/3
    no ip address
    shutdown
    clock rate 2000000
    router eigrp 1
    network 20.0.0.0
    network 192.168.20.0
    no auto-summary
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    tacacs-server host 192.168.20.2 key cisco
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    login authentication milista
    line aux 0
    line vty 0 4
    end
    i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
    heres my share profile
    name-------------admin jr
    Description---------for jr admin
    unmatched commands------- ()permit  (x)deny
    permint unmatched args()
    enable
    show -------------------------- permit version<cr>
    permit runnig-config<cr>
    then i add this profifle to group 2 and then i add my user to the group 2
    then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
    can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration

    Hi,
    I need to activate a control privileges of users on various devices.
    I found this interesting document:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
    All users (read and full access) access on a not priviledge mode.
    WHY?
    I have a ACS v3.3 build 2
    I have a 2960-24TC with IOS 12.2.25SEE3
    I tried with a acs v4.1 without success.
    Thanks.

    If you want user to fall directly in enable mode,then you should have this command,
    aaa authorization exec default group tacacs+ if-authenticated
    Bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Regards,
    ~JG

  • ACS - Shell Command Authorization Set

    Hi
    i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below
    privilege exec level 5 show ip route
    aaa authorization commands 5 TELNET group tacacs+
    aaa authorization exec TELNET group tacacs+
    aaa authentication login TAC group tacacs+
    tacacs-server host 10.0.0.100 key ccie-acs
    radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
    line vty 0 4
      password cisco
      authorization commands 5 TELNET
      authorization exec TELNET
      login authentication TAC

    By default, there are three command levels on the router:
        privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
        privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
        privilege level 15 — Includes all enable-level commands at the router# prompt.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
    Hope this helps.
    Regards,
    Jatin
    Do rate helpful posts-

  • Shell command authorization set

    umatched commands set to deny
    command "configure" argument "permit terminal"
    user has full access to all. i just want user to adjust vty lines. I also have the following commands
    show with argument"permit run and start"
    thats all i have set up in command. they should not be able to do anything in the config mode "Yet"

    i do not have that in my config. I do not know where i would put it. here is my config
    aaa new-model
    aaa authentication login default group tacacs+ line
    aaa authentication login no_tacacs enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization network default group tacacs+
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+

  • Command Authorization Set Show Run Permissions Only

    Hi All,
    I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
    I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    and this doesn't work as intended.
    I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges!  I guess this is because I am specifying level 1 access but that's what the doc says to do.......
    My config is as follows:
    Cisco 2811 Router
    aaa new-model
    aaa authentication login defaut group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    ACS 4.2 Config
    Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
    User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
    Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
    Thanks in advance
    David

    All,
    I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place

  • ACS SE - Shell Command Authorization

    Hi Sir,
    I have deployed an ACS Solution Engine 4.1(1) Build 23 to provide AAA services for routers/switches login.
    I'd like to create a user group that is restricted to only "show" commands when the users log in to the network devices.
    I have done the following steps:
    (1) Shared Profile Components -> Shell Command Authorization Sets
    Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".
    (2) Group Setup.
    Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".
    For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.
    For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".
    (3) User Setup.
    Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.
    (4) The AAA commands on the routers/switches are as follows:
    aaa new-model
    aaa authentication login default group tacacs+ local enable
    aaa authorization exec default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    ip tacacs source-interface Loopback0
    tacacs-server host 10.10.10.10 key 0 tacacskey
    When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?
    Thank you.
    B.Rgds,
    Lim TS

    Hi Narayan,
    Appreciate your detailed configuration steps.
    My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.
    See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.
    The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.
    I came across the following link:
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    Perhaps it explains the problem here. If I understand it correctly, a user can't see in the output of "sh run" what he can't configure at his privilege level or below.
    The same issue happens when I configured the following:
    no aaa new-model
    username noc privilege 7 password test
    privilege exec level 7 show
    line vty 0 4
    login local
    The user "noc" can't do "sh run".
    Thank you.
    B.Rgds,
    Lim TS

  • Show config not working in ACS "Shell Command Auth set"

    To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)

    Hi,
    I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
    Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
    ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

  • Cisco ACS command authorization sets

    I need help on the following please.
    1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
    2. Does anyone know where I can read up on command authorizations sets for ACS ??
    3. What is the debug command for CatOS to see cli output ?
    Many thanks
    Rod

    Thanks for your info. I have solved my problem -
    1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
    This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
    Problem resolved.
    Many thanks.

Maybe you are looking for

  • Pre-Provisioning Bit Locker in MDT 2012 SP1 while using MBAM 2.5 - No Pin Required

    Does anyone have some step by step instructions for Pre-Provisioning Bit Locker. Through task sequences, we are currently able to bit locker the computers but it's the last set of tasks.  I would like to Bit Locker the computer while no data is on th

  • Adobe Acrobat 9 no more updates?

    My company has about 50 licenses of Adobe Acrobat 9 (updated to 9.5.5). For a while updates were fast and furious. I checked their website today and saw that V 9.5.5 was "Latest and FINAL release. This patch fixes specific security issues." Does this

  • Java Advanced Imaging - Imaging Client Server application

    Hello, I try to send images compressed from a server to a client, the first Image is received by the client, but nothing append after. The client send an error that says that the socket connection is closed and I don't know wky ! I am using "JAI" for

  • Extended Classic : Unable to create purchase order

    Hi All, We are using SRM5.0 system, i did required configuration for extended classic. I defined number ranges for local and backend purchase orders. But after creating SC, system is unable to create purchase order. Shopping cart is not ended up in e

  • Ipad not syncing, only charges when off

    Disclamers: I use the larger original usb plug to charge (not a small iphone brick or my laptop). And a car adapter that is rated for iPad. There is no water damage. It was dropped a long time ago but has worked without problem before and since. Last