cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2127
Views
25
Helpful
11
Replies

AAA Authorization with ACS Shell-Sets

ianflgcsb
Level 1
Level 1

Hi all,

I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.

I am having trouble getting AAA Authorization to work correctly with ACS.

I am able to set the users up on ACS fine and assign them shell and priv level 7.

I then setup a Shell Auth Set, and enter in the commands show and configure.

When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able

to access global config mode by typing in conf (or configure) terminal or t.

If I type con? the only command there is connect, configure is never an option...

The only way I can get this to work is by entering the command:

privilege exec level 7 configure terminal

I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?

This is most frustrating

The ACS Server is set up with a Shell Command Authorization Set named Level_7

It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"

The "Permit Unmatched Args" is also selected.

See an excerpt of my IOS config below:

aaa new-model

!

!

aaa group server tacacs+ ACS

server 10.90.0.11

!

aaa authentication login default group ACS local

aaa authorization exec default group ACS

aaa authorization commands 7 default group ACS local

!

tacacs-server host 10.90.0.11 key cisco

!

!

privilege exec level 7 configure terminal

privilege exec level 7 configure

privilege exec level 7 show running-config

privilege exec level 7 show

!

Hope you can help me with this one..

P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

1 Accepted Solution

Accepted Solutions

Premdeep Banga
Level 7
Level 7

Hi,

So here it is,

You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.

Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.

This is what I suggest the commands back to normal level.

Below provided are steps to configure shell command authorization:

-------------------------------------------

Follow the following steps over the router:

-------------------------------------------

!--- is the desired username

!--- is the desired password

!--- we create a local username and password

!--- in case we are not able to get authenticated via

!--- our tacacs+ server. To provide a back door.

username password privilege 15

!--- To apply aaa model over the router

aaa new-model

!--- Following command is to specify our ACS

!--- server location, where is the

!--- ip-address of the ACS server. And

!--- is the key that should be same over the ACS and the router.

tacacs-server host key

!--- To get users authentication via ACS, when they try to log-in

!--- If our router is unable to contact to ACS, then we will use

!--- our local username & password that we created above. This

!--- prevents us from locking out.

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

!--- Following commands are for accounting the user's activity,

!--- when user is logged into the device.

aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

--------------------

Configuration on ACS

--------------------

[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'

Provide any name to the set.

provide the sufficent description (if required)

(a) For Full Access administrative set.

In Unmatched Commands, select 'Permit'

(b) For Limited Access set.

In Unmatched commands, select 'Deny'.

And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.

For example: If we want user to be only able to access the following commads:

login

logout

exit

enable

disable

show

Then the configuration should be:

-----------------------------------------------

------------------------Permit unmatched Args--

-----------------------------------------------

login permit

logout permit

exit permit

enable permit

disable permit

configure permit terminal

interface permit ethernet

permit 0

show permit running-config

------------------------------------------------

in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.

[2] Press 'Submit'.

[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.

(cont...)

View solution in original post

11 Replies 11

Premdeep Banga
Level 7
Level 7

Hi,

So here it is,

You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.

Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.

This is what I suggest the commands back to normal level.

Below provided are steps to configure shell command authorization:

-------------------------------------------

Follow the following steps over the router:

-------------------------------------------

!--- is the desired username

!--- is the desired password

!--- we create a local username and password

!--- in case we are not able to get authenticated via

!--- our tacacs+ server. To provide a back door.

username password privilege 15

!--- To apply aaa model over the router

aaa new-model

!--- Following command is to specify our ACS

!--- server location, where is the

!--- ip-address of the ACS server. And

!--- is the key that should be same over the ACS and the router.

tacacs-server host key

!--- To get users authentication via ACS, when they try to log-in

!--- If our router is unable to contact to ACS, then we will use

!--- our local username & password that we created above. This

!--- prevents us from locking out.

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

!--- Following commands are for accounting the user's activity,

!--- when user is logged into the device.

aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

--------------------

Configuration on ACS

--------------------

[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'

Provide any name to the set.

provide the sufficent description (if required)

(a) For Full Access administrative set.

In Unmatched Commands, select 'Permit'

(b) For Limited Access set.

In Unmatched commands, select 'Deny'.

And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.

For example: If we want user to be only able to access the following commads:

login

logout

exit

enable

disable

show

Then the configuration should be:

-----------------------------------------------

------------------------Permit unmatched Args--

-----------------------------------------------

login permit

logout permit

exit permit

enable permit

disable permit

configure permit terminal

interface permit ethernet

permit 0

show permit running-config

------------------------------------------------

in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.

[2] Press 'Submit'.

[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.

(cont...)

Premdeep Banga
Level 7
Level 7

(cont...)

[4] From 'Jump To' menu, select 'TACACS+'.

[5] Mark a check over 'Shell(exec)' & 'Privilege level' with privilage level value equal to '15'.

[6] In 'Shell Command Authorization Set', check 'Assign a Shell Command Authorization Set for any network device' and from drop down menu select the authorization set to be applied to the group.

[7] Press 'Submit + Restart'.

###############################

Adding the TACACS+ AAA Client :

###############################

[Step 1] Select Network Configuration .

Note : If you are using Network Device Groups (NDGs), you must also click the name of the NDG that you want to add the AAA client entry to.

[Step 2] Under the AAA Clients table, select Add Entry .

The Add AAA Client page appears.

[Step 3] Configure the boxes, list, and check boxes on the Add AAA Client page as follows:

?AAA Client Hostname ?Type the hostname plus the AAA protocol, router01-tacacs.

?AAA Client IP Address ?The IP address of interface of the router from which CiscoSecure ACS will receive RADIUS requests.

?Key ?The same key specified on the router for the TACACS+ server.

?Authenticate Using ?Select TACACS+ (Cisco IOS) .

[Step 4] Select "Submit + Restart".

To see how exactly the commands are seen by ACS, as we have turned on command accounting, we can go to :

Reports and Activity > TACACS Administration and TACACS Accounting

And you'll be able to see how extacly the commands are being seen by ACS, and accordingly we can configure Shell command authorization set.

Try this and let me know.

Regards,

Prem

Hi Prem,

Thanks a lot for your reply.

I have tried my config originally also withouth the local command statements.

However, I will try again with the above information you posted, if I dont get to do it today i will try in the morning and get back to you with results.

Thanks again,

Ian.

Hi Prem,

We have tried that setup on the ACS 4.x now. Still giving problems though!

We reverted the router config back to normal priv levels and started with a blank config and entered in what you recommended.

Logging into the router via ACS with priv 15 set as an unrestricted Command Shell set works fine, However we could always get this to work fine, its when we start restricting access we have problems.

I setup the router exactly as you said and set the ACS up with the following shell to provide a restricted priv 15 login:

Unmatched Commands Marked as Deny

1st Command Box

===============

configure

disable

enable

exit

interface

login

logout

show

2nd Command Box

===============

permit terminal

permit vlan1 (also tried permit vlan permit 1)

permit running-config

permit ip route

permit ip interface brief

When we log in under this setting the access levels are restricted, but they do not behave as expected. For example in the above setup I can logon to the Router, enter show ip route and it will work fine. I can then enter a different show command and i will get - again which is fine, thats what we would expect to happen. Now when I enter config mode, this works fine also, however, "disable" doesnt seem to be recognized as a command and neither does "exit". If I enter in the ? at the configure prompt I see a list of commands which are available to me and "exit" is in that list, but the router returns an error message of .

If I look at the ACS TACACS+ Admin, I can see all the commands which I could sucessfully enter, but exit or disable is not shown there at all?

While in config mode if I enter in:

"interface vlan1" I also get .

We can get these setups to work perfectly on the local routers and switches, but we wanted the ACS to do it for the entire setup to save having to enter the privilege commands on all systems. But the ACS 4.x seems to be behaving strange with the Shell sets??

If you have any other ideas on this issue, we would be very greatful.

Thanks,

Ian.

Hi,

Actually ACS is not behaving strange, we need to understand how ACS parses commands.

The commands that you are not able to enter will show up in Failed Attempts.

And do this,

exit--------permit

disable-----permit

indicates return key.

For interface vlan1,

interface-----permit Vlan 1

Notice the upper case V, its case sensitive.

Try this.

Another way to see how exactly ACS parses a command. With the account that has full privileges, type that command that you want to restrict and see it in Tacacs Administration logs.

Regards,

Prem

Hi Prem,

We seem to be getting somewhere with this now!

I did have the Capital letter in place for Vlan 1 but the command sequence I had in was like this:

interface-----permit Vlan1

The failed parse command showed "interface Vlan 1" so I changed the shell to:

interface-----permit Vlan 1

This command now works.

So where we are at now is that we have 2 shell sets on the ACS, one is for unrestricted usage, and the other is for restricted usage. Each Shell Set is assigned to a different Group and seems to be working fine.

However, there still seems to be an issue with the single word commands, getting them to work e.g. (exit, disable,) etc.

If I put in the command:

exit-------permit

I get the following error when I press submit:

Argument Line for Command exit is not in the correct format :-

permit

The correct format is

However, If I enter the following command:

exit-----permit

The ACS accepts the command format when I press submit. When I log into the Router, the exit command now works fine along with all the other commands in the Shell.

Now here is where it starts getting strange and causes problems... If I edit the Shell again and add a new command in, as soon as I press submit I get the same error as before about the "exit" command being in the wrong format. As soon as I go to the exit command and go to the arguments box and add in a

, then press submit, everything works fine again, including the new commands.

This causes great trouble when I try to enter a second single word command in such as "disable" because I have to use the exact same format i.e:

disable-----permit

But as soon as I submit this, it reports an error about the "exit" command's formatting, if I then fix the "exit" commmand's formatting it reports the error on the "disable" command's formatting and vice versa. These just keeps on happening until I end up deleting commands until I only have one single word command in there such as exit or disable (I dont seem to be able to have more than 1)?

Thanks for your help so far Prem its been very usefull, hopefully we can get the last bit sorted now!

Best Regards,

Ian.

Hi Prem,

Just a little more info for you...

If I go back to edit the shell at any stage, I can get the exit and the disable command to work by selecting each of them individually, and then going to the arguments box of each command and entering a and a after the permit keyword.

Then when I press submit it accepts the 2 single word commands in the shell and it all works fine on the router.

Unfortunately this has to be done every time I go near the shell set??

So the single command formats are:

exit--------permit

disable-----permit

They will not work without the

, a on its own still reports the error when I press submit!?

All other commands are fine.

Regards,

Ian.

Hi Ian,

Sorry, but I was not able to get the same results as you are, I created a Shell Command Authorization Set with following,

disable----permit

enable-----permit

show-------permit running-config

interface--permit Vlan 1

And I added and deleted several commands but it never gave me that error. May be something is corrupt with the Shell Command Authorization Set you have created.

Try deleting it and creating a new one. But before deleting it remove it from the group that is using it.

And see the result. And what is the version of ACS you are using exact version?

Regards,

Prem

Hi Prem,

Im afraid I cant get it to work, but thats ok because I can live with the workaround for the timebeing. I see it works fine for you so thats ok. Our ACS Server is in a LAB at the moment and is a downloaded version running on a VMWare Server at present, it is currently

ACS Release 4.0(1) Build 27

We will be getting our full ACS Server software from our partner in a couple of weeks and that will be on a dedicated server not a VM environment, so I would be confident that it should work fine.

I just wasnt sure if it was something we were doing incorectly that wouldnt let the commands work.

But thanks for all your help, it was much appreciated!

Best Regards,

Ian.

Your welcome Ian,

Also, ACS 4.0 is not tested on VMWare, that might be causing some issue. But yes 4.1 is tested on a VMWare platform.

Glad to help you on this.

Please mark this thread as resolved, so that others can benefit from it.

Thanks,

Prem

are you kidding me, case sensitive. this solves my issue, thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: