Using ACS for command authorization

Similar Messages

• ACS - Shell Command Authorization Sets

  Hi,
  I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
  Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
  permit port-security
  permit mac address-table'
  I've also ticked 'Permit unmatched args'
  At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
  Test Timed out for service: CSAdmin
  Test Timed out for service: CSAuth
  Test Timed out for service: CSDbSync
  Test Timed out for service: CSLog
  I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
  Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
  Thanks!!
  Steve

  Thanks for your reply!
  there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
  I am using ACS v 4.1.
  While I receive the service messages and also when they go away - I always have the authorisation problem.
  Thanks
  Steve

• ACS shell command authorization help

  Hello,
  I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
  Thanks

  Two things could be wrong
  1) You don't have the following command on your AAA Client:
  aaa authorization config-commands
  2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards
  Farrukh

• ACS Shell Command Authorizations Set

  I have Cisco ACS Server V4.0
  In the shell Command Authorization Set I configure a restrict Access.
  In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
  Why This?

  I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• Using ACS for Cisco Prime authentication

  I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
  Any pointers?

  The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
  Administration > AAA > TACACS+ Servers > add tacacs server.
  Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
  The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
  "Configuring ACS 4.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
  https://supportforums.cisco.com/docs/DOC-17909
  In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
  Jatin Katyal
  - Do rate helpful posts -

• ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration

  Hi,
  I need to activate a control privileges of users on various devices.
  I found this interesting document:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
  All users (read and full access) access on a not priviledge mode.
  WHY?
  I have a ACS v3.3 build 2
  I have a 2960-24TC with IOS 12.2.25SEE3
  I tried with a acs v4.1 without success.
  Thanks.

  If you want user to fall directly in enable mode,then you should have this command,
  aaa authorization exec default group tacacs+ if-authenticated
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG

• ACS - Shell Command Authorization Set

  Hi
  i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below
  privilege exec level 5 show ip route
  aaa authorization commands 5 TELNET group tacacs+
  aaa authorization exec TELNET group tacacs+
  aaa authentication login TAC group tacacs+
  tacacs-server host 10.0.0.100 key ccie-acs
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
  line vty 0 4
    password cisco
    authorization commands 5 TELNET
    authorization exec TELNET
    login authentication TAC

  By default, there are three command levels on the router:
      privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
      privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
      privilege level 15 — Includes all enable-level commands at the router# prompt.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.
  Hope this helps.
  Regards,
  Jatin
  Do rate helpful posts-

• Using ACS for change control

  I'd like to set up ACS server (integrated with Windows Active Directory) for router and switch so that all network administrator could use their active directory account to access network devices… and all activities will be logged on to ACS server. Currently we are sharing local administrative(on router and switch) account and I don’t have the visibility of who is doing what. The idea is to have more tight change control.
  I'd like to have security group set up in Active Directory and have all the network admins within, and have them to use their network account to log into routers and switches. Is this possible?

  Thank you, in that case I have some more questions(if you don't mind) to ask about your instruction.
  1. I only have RADIUS server(ACS 3.3). Do I need to purchase additional TACACS+ to accomplish this? or you just want me to add additional TACACS+/RADIUS attributes enabled per user?
  2. Is it possible to map 'Security Group' object instead of individual user?
  3. Please send me a sample CLI configuration for router(or switch).
  Thank you very much for your help.

• Using ACS for VLAN assignment

  Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
  1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
  2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
  I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
  Thanks for any help...
  Kelvin

  Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
  I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
  ip access-list extended guest
  permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
  permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
  permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
  deny ip any any
  Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Asa cmd authorization using acs

  Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
  aaa-server aaa_serv protocol tacacs+
  aaa-server aaa_serv host 10.0.0.10
  key cisco123
  aaa authentication serial console tac_serv
  aaa authentication telnet console tac_serv
  aaa authentication enable console tac_serv
  aaa authorization command tac_serv
  i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

  ASA does not have any authorization exec command so Priv Level does not work with ASA.
  Max privilege(enable attrib. in ACS)works with ASA.
  But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
  2 main commands required for command authorization are
  aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
  aaa authorization command tac_serv

• Command authorization for ASA

  Hi all
     I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
  Thanks in advance
  Anvar

  Hi Dan
    I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
  aaa authentication telnet console TACACS-SERVER LOCAL
  aaa authentication http console TACACS-SERVER LOCAL
  aaa authentication ssh console TACACS-SERVER LOCAL
  aaa authentication enable console TACACS-SERVER LOCAL
  aaa authentication serial console LOCAL
  aaa authorization command TACACS-SERVER LOCAL
  aaa accounting telnet console TACACS-SERVER
  aaa accounting command TACACS-SERVER
  aaa accounting ssh console TACACS-SERVER
  regards
  anvar

• Command Authorization on ACS

  Hi Guys,
  its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.
  So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.
  please help me on this.
  Thanks

  Hi ,
  The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557
  Pix command,
  username Test password cisco
  username Test privilege 15
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX
  Regards,
  ~JG
  Please rate if that helps !