TACACS+ Command Auth and Config T

Can I use Command Auth Sets in CiscoSecure to provide a subset of configuration commands? I want to give Interface commands, but not anything else.

Hi,
Sure you can. See the attachment.
Regards,
Prem

Similar Messages

  • TACACS+ command authorization and ACS "Quirk"(?)

    Hi All,
    I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
    For the example, i'll use Vlan 101, which is one of my server networks.
    My Command set says:
    Command: switchport
    Arguements: permit access, permit vlan, deny 101
    Permit Unmatched Args is UNCHECKED.
    When I debug the aaa authorization, i see this:
    146425: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
    146426: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
    146427: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
    146428: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
    146429: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
    146430: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
    146431: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
    146432: Mar  8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
    I know I have the correct command set applied, because it blocks me appropriately for other commands.
    146451: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
    146452: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
    146453: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
    146454: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
    146455: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
    146456: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
    146457: Mar  8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
    Any thoughts why it's not working as expected?

    Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
    ip tacacs source-interface gi 0/0
    tacacs-server directed-request
    tacacs-server key
    tacacs-server host x.x.x.x
    aaa new-model
    aaa authentic login default group tacacs+ local
    aaa authentic login no-tacacs none
    aaa authentic enable default group tacacs+ enable
    aaa author config-commands
    aaa author exec default if-authenticated
    aaa author commands 1 default if-authenticated
    aaa author commands 15 default group tacacs+ local
    aaa author console
    aaa account exec default start-stop group tacacs+
    aaa account commands 0 default start-stop group tacacs+
    aaa account commands 1 default start-stop group tacacs+
    aaa account commands 15 default start-stop group tacacs+
    aaa account connection default start-stop group tacacs+
    aaa account system default start-stop group tacacs+
    aaa session-id common

  • ACS 5.3 and Command Auth

    I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 
    I still get no joy.   Also Cisco changed the GUI and the way command sets are built
    (http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
    Any help would be appreciated
    Patrick Connor

    Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.
    I created 2 command sets
    Pri-15  has only the permit all command not in the table below check box checked
    Pri-1  has a single permit "show"  with no arguments
    the Auth rule has 2 rules
    rule 1  identity group "network Admin"  any any any pri-15
    rule 2 identity group "network monitor" any any any pri-1
    service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98
    the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 
    So it looks like the command set is not being recognized.  but I cannot see why?
    Thanks,
    Pat 

  • ACS 5.1 command authorization in config mode

    Hello all,
    I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
    Before I've search this forum and found 2 posts:
    https://supportforums.cisco.com/thread/2041611
    https://supportforums.cisco.com/message/3057298
    that suggest to have the AAA configured with:
    aaa authorization config-commands
    I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    Did I miss something? Do you have any suggestion for me?
    Thank you!
    Calin

    can you run a "debug aaa authorization" to see what happens?

  • Shell Command Auth Question

    I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:
    "permit counters interface *"?
    TIA

    I'm assuming you are using CSACS (not indicated) for defining your command sets.
    e.g.:
    "Deny" radio button selected (i.e.: only listed commands will be authorized).
    Command List:
    clear
    disable
    enable
    show
    "Clear" command argument(s) set as follows:
    (a) Deselect the "Permit Unmatched Args" checkbox.
    (b) Enter the following argument(s) into the list:
    permit counters
    ... or, to be more specific:
    permit counters Ethernet 0
    permit counters FastEthernet 0
    This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).
    Notes:
    (1) Command arguments are case sensitive and may differ from how they are entered at the CLI.
    (2) A sniffer is helpful in determining proper case.
    (3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

  • JMX java.security.auth.login.config module not loading

    All
    I would like to setup my JMX remote to encrypt the password. My class implements LoginModule and I have the following command line configurations
    set JMX_AUTH_DETAILS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5000 -Djava.security.auth.login.config==C:\bin\sample_jaas.configThe configuration file is
    /** Login Configuration for the JAAS Sample Application **/
    Sample {
       com.jmx.SampleLoginModule required debug=true;
    };I have placed the jar in my classpath and loaded with the JVM starting up. But I get an error saying unable to find passwordFile=C:\Program Files\Java\jre6\lib\management\jmxremote.password
    Even when I set this on the command line args. And then do a remote debug via eclipse it does not seem to execute the initialize on my SampleLoginModule class. Am I missing a command line arg?

    hi,
    Thanks for your response, finally i got solution. As you told I just check with file path, it works.
    regards
    rajesh

  • Does XI support FTP over SSL with Command AUTH TLS??

    Hi All,
    Can we change Command AUTH TLS to AUTH SSL in the Command Order of receiver FTP adapter when you select FTPS (FTP using SSL/TLS) for Controal and Data Connection??
    We are able to transfer business documents to bank's FTP server (Following RFC 2228 standards) using WS FTP Pro (I think follows RFC 959 and 1123 standards) which using AUTH SSL in Command order.
    We did go through SAP note 821267 (FAQ for XI 3.0 / PI 7.0 File Adapter)...question number 33 address about the "AUTH TLS" command. But we not getting the same error. We get different as in this forum:
    Re: Error: Message processing failed: FTPEx: PBSZ=0
    Can someone please confirm if this is the issue with FTP RFC standarads?? Or can we coustomize FTPS adapter to send AUTH SSL command??
    Thank you,
    Indrasena Janga

    Dear Andy,
    I am also looking for the same information.
    Could you please share with ,if u have got anything related....
    Hi Experts,
    Pls share your exp with us if u have any....
    Regards,
    Srinivas

  • [svn:osmf:] 14412: Added the Syndication. swc to the command line build config file for the AkamaiPluginSample project .

    Revision: 14412
    Revision: 14412
    Author:   [email protected]
    Date:     2010-02-24 17:48:22 -0800 (Wed, 24 Feb 2010)
    Log Message:
    Added the Syndication.swc to the command line build config file for the AkamaiPluginSample project.
    Modified Paths:
        osmf/trunk/apps/samples/plugins/AkamaiPluginSample/AkamaiPluginSample-build-config.xml

    I think it is not supported through ant script and you may have to contact Oracle Support. Please go through below thread (hisaak's reply) -
    Re: Export OSB configuration jar file using Ant
    Regards,
    Anuj

  • Alternative to set  "java.security.auth.login.config" ?

    In all examples of using JASS, it uses the following way.
    System.setProperty("java.security.auth.login.config", fileName)
    Is there a way I can specify the policies in code, not in a file? That way I don't have to worry about file permissions.
    p.s. Thanks for Seema-1 who anwsered my last question.
    Message was edited by:
    maqiang9111

    Has anyone done the same thing for the java.security.krb5.conf setting? I tried setting it using the same form of URL that I use for java.security.auth.login.config, and I get this error when the kerberos code attempts to use it:
    Could not load configuration file jar:file:\C:\dev\workspace\myapp\client-data.jar!\krb5.ini (The filename, directory name, or volume label syntax is incorrect)
    The corresponding login context conf file in the same jar loads fine.

  • AAA Authentication & Accounting using Tacacs+ Commands order

    In the cisco Remote Access Companion guide book page 394 we have got this configuration lines :
    RTA(config)#tacacs-server host 192.168.0.11
    RTA(config)#tacacs-server host 192.168.0.12
    RTA(config)#tacacs-server key topsecret
    RTA(config)#aaa new-model
    RTA(config)#aaa authentication login default group tacacs+
    If I want to add to the configuration above ,the command below :
    RTA(config)#aaa accounting connection defult stop-start tacacs+
    Is it necessary for the above lines to be in a specific order when I configure RTA ?

    The first tacacs server listed will the first tacacs server queried. I would make may primary ACS the first listed. Everything else looks good.

  • TACACs+ commands not dropping me into enable mode

    Hi All,
    I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
    It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
    My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
    Any ideas?
    aaa group server tacacs+ ABC_ACS
    server name ABC_TAC
    tacacs server ABC_TAC
    address ipv4 172.27.10.10
    key secretkey
    aaa authentication login ACS_List group ABC_ACS line
    aaa authorization exec ACS_List group ABC_ACS if-authenticated
    aaa accounting exec ACS_List start-stop group ABC_ACS
    aaa accounting commands 15 ACS_List start-stop group ABC_ACS
    line vty 0 4
    password test
    authorization exec ACS_List
    accounting commands 15 ACS_List
    accounting exec ACS_List
    login authentication ACS_List
    length 0
    transport input ssh

    Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
    If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

  • CSU Rev 2.3.6(2) - deny key commands in IOS config mode

    I want to deny certain commands to certain users in a group. I have defined the following on the ACS.
    service = shell{
    default cmd=permit
    default attribute=permit
    cmd=configure{
    deny="no ip routing"
    deny="no router isis"
    permit=""
    This logic does not work.
    1. Does CSU support command authorization within config mode?
    2. Any tips?
    Thanx,
    Kenny

    You are not alone with issues related to the e1000e (but all they concluded was that reloading the module makes it work again):
    https://bbs.archlinux.org/viewtopic.php?id=145564
    It seems like this is more your issue:
    http://permalink.gmane.org/gmane.linux. … devel/8932
    But if none of those boot flags work for you, then there's not much you can do, and you'll have to write a script to reload the module each time after initial boot finishes I guess until the module gets fixed.
    Also, power management of the PCIe interface causes the e1000e to shut off after a while as well (lots of people on CentOS noticing this):
    http://serverfault.com/questions/226319 … ie-aspm-do
    So you can use that boot parameter to stop that from happening, if that becomes an issue for you as well.

  • How can i install snow leopard on my mac G5 using a command line and booting from an external usb rom, since my disk i have is not a bootable media

    How can i install snow leopard on my mac G5 using a command line and booting from an external usb rom, since my disk i have is not a bootable media

    Hi.
    You simply can't. Snow Leopard is compiled in Intel binary only.
    Good Luck.

  • How do i access my installer disc on a 2011 macbook pro as they are virtual now, i have tried to use command r and hold shift on start up

    I have, a 2011 macbook pro with osx lion, last year  it died, by doing the not getting past the logo and startup gear, i tried doing the data screen repair where u type some code and try and repair, that didnt work so i took it to genius bar and it wasnt in warrenty and they were gonna charge me but as was only 3 weeks over the warrenty period, so they did for free, and the harddrive they installed had a 90 day warrenty and that is ova now, and my mac has now done the same thing again and this time i think was a power interruption at some point and now has a fault, another thing that crossed my mind is that yes this has done this but could they have (to save money and not right offf a new one) given me my same harddrive back and jus wiped it now 5 months down the track its broken again?
    The laptop isnt even 18 months old and has broken down twice, my old macbook had 4 5 years not a hiccup.
    In conclusion i need to get photoes off it and cant seem to activate safe mode, or do i know how to access the startup disk that the guy did at genius last time, or get to the data screeen that allowed me to attempt to repair the drive. Can someone help me please, i have tried command r and holding shift, meither have worked.

    It's hard to know whether your hard drive has actually failed or if your system has just gotten badly corrupt. If the former, unfortunately, there may be no way to get any data off the drive at this point. If there aren't any backups of that data, it will be gone forever, unless perhaps a high-priced (ie, in the thousand dollar range) data recovery service has some luck with it.
    If the system and/or hard drive are badly corrupt, the same may be true. Some or all of that data may be irrevocably corrupt by now. However, there are some ways that you can attempt to recover from this situation without paying such huge fees. First, if you have access to another Mac, and both have Firewire ports, you can connect the two using Firewire target disk mode. This will mount the damaged drive as if it were an external hard drive on the second Mac, and could allow you to copy some data from the drive.
    Another possibility would be to buy an external hard drive, install Mac OS X on it and boot the machine from that, then copy any data from there that you can.
    In both of these cases, it may be helpful to scan the damaged drive for recoverable files using something like Data Rescue.
    There are also some possible ways to repair the drive if you can't do either of those things, but any repairs at this point could potentially destroy data. I only recommend this as a last resort. Still, if all other options have failed, try repairing the drive using DiskWarrior. This can fix problems that Disk Utility (and fsck, the command-line tool that it sounds like you may have used) cannot. It is possible that DiskWarrior will be able to get the drive back in working order long enough to get the data recovered, though of course it's also possible the process will be destructive.
    If none of the above work, you'll have to seek professional help.

  • How to transfert all my data and config from 4 to 4s

    Hello,
    Is there a "step by step" doc. On how to transfert all my data and config
    From one iphone 4 to a 4s without using outlook ( ex:for contacts ) etc...
    I don't get the ITunes method, sync direction etc...
    All my Iphone 4 Put into my knew Iphone 4 S within a click !
    Maybe there's an app for that :-).
    Thanks for the Help.

    iOS: Transferring information from your current iPhone, iPad, or iPod touch to a new device

Maybe you are looking for

  • Share disks over WAN for Windows

    I spent a lot of time searching through the forum to find the solution for my problem but I could not seem to find the concrete solution for it. Hence, I'm asking for help. Problem description: I can't access my USB drives connected to the Airport Ex

  • The Sims on Mac Mini

    Ok, here's the situation. I appreciate any help/info: I have a Mac Mini. We get along great and are friends. Huzzah! I have plenty of space and the machine works great! I want to get The Sims. NOT The Sims 2, but the original, The Sims. I got to amaz

  • IPhoto opens automatically when iPhone is connected

    iPhoto for Mac (Yosemite) opens automatically when iPhone (iOS 8) is connected. I have "no application" chosen in iPhoto preferences and Image Capture has no preference options in the menu. I can find nothing in System Preferences OS X 10 or in Setti

  • Obtaining reference to a specific client

    How can we obtain reference to a specific client?

  • Cann't start up from Tiger to uninstall Leopard

    I'm trying to uninstall Leopard and reinstall Tiger, However, I Can't install Tiger. When I start up holding down the C key I get message I can't install on this computer?! I installed it before and then installed @#%$^&&* Leopard over it. I'm using