ACS command authorization problem!!!

rajeev.payal · ‎06-05-2008

I have a problem for command authorization in ACS 4.1.

I will explain you by an example:

I added a command in ACS as

interface

& in the arguement: deny gigabitethernet

rest of all commands i have permitted.

I am not able to execute the command interface gigabitethernet & i am able to execute all other commands.Ideally,it is correct!!!

but when i put the command:interface loopback ,it is also getting denied.How to go through it?

Kindly see the attachment for understanding!!!!

wasiimcisco · ‎06-05-2008

you need to click on the check box PERMIT UNMATCH command.

right now it is denying anything.

If helpful please rate

rajeev.payal · ‎06-11-2008

Dear Wasim,

Already checked!!!!

Problem still persists!!

michael.leblanc · ‎06-11-2008

You are mis-interpreting the user interface.

If you read the Help info related to Unmatched Commands, you will see that when the "Permit" radio button is selected, you are permitting commands that are NOT listed.

You are currently denying interface, show, write, and permitting all else.

This is why both "interface gigabitethernet" and "interface loopback" are not working, while most other commands are working.

Remove the contents of the subcommand list (right-hand list), select the "Deny" radio button, Submit your changes to the Command Authorization Set, and retest.

This will result in interface, show, and write being permitted.

After testing the interface command, refine your requirements by introducing sub-commands in the right-hand column for more granular control.

To fulfill your original objective, you will need to expand the list of commands you wish to be permitted.

michael.leblanc · ‎06-12-2008

The statement in my prior post - "Remove the contents of the subcommand list (right-hand list), select the "Deny" radio button, Submit your changes to the Command Authorization Set, and retest."

... should have included, selecting the Permit Unmatched Args checkbox.

In order to test the "show" command with the "interfaces" argument, you may need to add the enable command.

Consider the following example:

"Deny" radio button selected (i.e.: only listed commands will be authorized).

Command List:

disable

enable

show

"Show" command arguments set as follows:

(a) Deselect the "Permit Unmatched Args" checkbox.

(b) Enter the following argument into the list:

permit interfaces Loopback 0

This will result in the ability to show the Loopback 0 interface, but NOT the GigabitEthernet interface (per your indicated preference).

Notes:

Command arguments are case sensitive and may differ from how they are entered at the CLI.

A sniffer is helpful in determining proper case.

Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

If you were to limit the "show" command argument to "permit interfaces", and then tried to use the "interfaces" command with the "deny GigabitEthernet X" argument, you would not see the results desired. The "show" command with its limited argument would authorize showing of the GigabitEthernet X interface despite configuration of the "interfaces" command.

I'm not a fan of this user interface.