Show config not working in ACS "Shell Command Auth set"

Similar Messages

• ACS - Shell Command Authorization Sets

  Hi,
  I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
  Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
  permit port-security
  permit mac address-table'
  I've also ticked 'Permit unmatched args'
  At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
  Test Timed out for service: CSAdmin
  Test Timed out for service: CSAuth
  Test Timed out for service: CSDbSync
  Test Timed out for service: CSLog
  I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
  Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
  Thanks!!
  Steve

  Thanks for your reply!
  there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
  I am using ACS v 4.1.
  While I receive the service messages and also when they go away - I always have the authorisation problem.
  Thanks
  Steve

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• ACS Shell Command Authorizations Set

  I have Cisco ACS Server V4.0
  In the shell Command Authorization Set I configure a restrict Access.
  In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
  Why This?

  I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

• AAA with CatOS and ACS (shell command autorization set)

  Hi,
  I have an ACS that authenticates and authorizes IOS devices.
  I use "shell command autorization set" to authorize some commands for some groups.
  Is it possible to do so with CatOS?
  For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?
  Regards,
  ROMS

  Console> (enable) set tacacs server [IP] [primary]
  set tacacs key [key]
  set tacacs attempts [number] (optional)
  set localuser user [user] password [password] privilege 15
  set authentication login local enable
  set authentication login tacacs enable [all | console | http | telnet] [primary]
  set authorization exec enable tacacs+ [deny | none] [console | telnet | both]
  set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]
  regards,
  ~JG

• ACS 4.0, only 1 Shell Command auth. set possible

  Hi all,
  I am wondering if this is a "hidden feature" of the evaluation software or a bug...
  I am currently running Cisco Acs server v.4.0 (evaluatie version) Win2k3 platform; with authentication, authorization and accouting.
  In a nutshell I have the following setup:
  - group1 uses: Shell Command Authorization Set1
  - group2 uses: Shell Command Authorization Set2
  Problem: Users in group2 are somehow authorized against the commands listed in Shell Auth. Comm. set1 instead of the configured Shell Auth. Comm. set2
  Is it possible that with the evaluation software only one Shell Command Authorization Set is allowed to be active? Does anyone know?
  Many thx
  Sander

  Problem resolved by renaming authorization sets and reloading ACS......
  thx Sander

• ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration

  Hi,
  I need to activate a control privileges of users on various devices.
  I found this interesting document:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
  All users (read and full access) access on a not priviledge mode.
  WHY?
  I have a ACS v3.3 build 2
  I have a 2960-24TC with IOS 12.2.25SEE3
  I tried with a acs v4.1 without success.
  Thanks.

  If you want user to fall directly in enable mode,then you should have this command,
  aaa authorization exec default group tacacs+ if-authenticated
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG

• ACS - Shell Command Authorization Set

  Hi
  i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below
  privilege exec level 5 show ip route
  aaa authorization commands 5 TELNET group tacacs+
  aaa authorization exec TELNET group tacacs+
  aaa authentication login TAC group tacacs+
  tacacs-server host 10.0.0.100 key ccie-acs
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
  line vty 0 4
    password cisco
    authorization commands 5 TELNET
    authorization exec TELNET
    login authentication TAC

  By default, there are three command levels on the router:
      privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
      privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
      privilege level 15 — Includes all enable-level commands at the router# prompt.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
  Hope this helps.
  Regards,
  Jatin
  Do rate helpful posts-

• Shell Command Auth Question

  I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:
  "permit counters interface *"?
  TIA

  I'm assuming you are using CSACS (not indicated) for defining your command sets.
  e.g.:
  "Deny" radio button selected (i.e.: only listed commands will be authorized).
  Command List:
  clear
  disable
  enable
  show
  "Clear" command argument(s) set as follows:
  (a) Deselect the "Permit Unmatched Args" checkbox.
  (b) Enter the following argument(s) into the list:
  permit counters
  ... or, to be more specific:
  permit counters Ethernet 0
  permit counters FastEthernet 0
  This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).
  Notes:
  (1) Command arguments are case sensitive and may differ from how they are entered at the CLI.
  (2) A sniffer is helpful in determining proper case.
  (3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• 1. TACAS+ Accounting and Logged in Users report is not working on ACS 4.1(1

  Hi,
  I am facing problem with ACS 4.1 accounting, TACAS+ Accounting and Logged in Users report are not working, the csv file is been generated but nothing is showened in the file.
  I have checked the documents related to ACS 4.1, it says that there is a bug related to command accounting “CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23”.
  Tried upgrading the same with the patch applAcs-4.1.1.23.3.zip, still it is not working.
  Other reports are working fine.
  1. TACAS+ Accounting - not working
  2. Logged in Users - not working
  3. TACAS+ Administration - working
  4. Passed Authentication - working
  5. Failed Attempts - working
  Any suggestions or any idea, please revert.
  Regards
  Vineet

  Hi,
  Thanks
  Yes I have configured the command “aaa accounting exec default start-stop group tacacs+”
  As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
  Regards,
  Vineet

• ACS shell command authorization help

  Hello,
  I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
  Thanks

  Two things could be wrong
  1) You don't have the following command on your AAA Client:
  aaa authorization config-commands
  2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards
  Farrukh

• HT4539 All my old tv shows are not working please help my computer sed I have to Atheris 5 computers to play all my old tv shows I Pade for with eney Itunas cards. :( :'(

  All my old tv shows are not working please help my computer sed I have to Atheris 5 computers to play all my old tv shows I Pade for with eney Itunas cards.

  What do y mean by not work?
  What happens when y try to play them on yur iPod?
  What happens when yo try to play them in iTunes on yur computer?
  If you get a message what is the exact wording of the message?
  You can redownload most iTunes purchases by:
  Downloading past purchases from the App Store, iBookstore, and iTunes Store        
  Some countries do not allow redownloads some kinds of media

• How to enable "Shell Command Authorization Sets"

  Hi there
  I use aaa over tacacs to verfiy user from ms active directory.
  I configured a new "Shell Command Authorization Set" see the attachment for details.
  But this does not work. So I just want to test whether the use of a command is working or not.
  You can see in the attached file I tried something with "show" command.
  But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.
  Why does this not work?
  Thanx for help
  bb

  Hi BB,
  This is what you need on IOS device,
  Router(config)# username [username] password [password]
  tacacs-server host [ip]
  tacacs-server key [key]
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization config-commands
  On acs bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Rest all seems to be ok.
  ~JG
  Please rate if that helps

• Wildcard mask in Shell Command Authorization Set?

  Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
  For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
  Thanks

  Sure. Just tested this on my ACS 3.2 server with the following config:
  AAA client:
  aaa new-model
  aaa authentication login default tacacs
  aaa authorization commands 1 default group tacacs
  ACS Shell Command Set:
  Unmatched Commands = Deny
  Command = show
  Permit unmatched args = no
  args = permit ip *
  This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
  Hope that helps.