Using ACS to deny show tech-support

Answered Question

I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?

I have this problem too.
0 votes
Correct Answer by ansalaza about 7 years 8 months ago

Do you have these authorization commands configured?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1 key cisco123

Debug aaa author should display:

AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'

AAA/AUTHOR/CMD (2846421758): send AV service=shell

AAA/AUTHOR/CMD (2846421758): send AV cmd=show

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=

AAA/AUTHOR/CMD (2846421758): found list "default"

AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2846421758): user=switchuser

AAA/AUTHOR/TAC+: (2846421758): send AV service=shell

AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=

TAC+: Using default tacacs server-group "tacacs+" list.

TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5

TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49

TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued

TAC+: (2846421758) AUTHOR/START processed

TAC+: (-1448545538): received author response status = FAIL

Make sure to modify the original ACS Shell Command Authorization...

deny tech-support instead of deny tech.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Ivan Martinon Mon, 04/13/2009 - 14:54

Does it fail too if you complete the argument?

command=show

argument=tech-support

Jagdeep Gambhir Tue, 04/14/2009 - 05:37

Do you see any hits on acs failed attempts when show tech command fails?

Also check debug aaa authorization output and see if the device is sending show tech to ACS for authorization. It could be due to bug where in some commands are not sent to tacacs server for authorization check.

Regards,

~JG

Do rate helpful posts

JG,

No hits on the failed attempts.

There is no output from the debug when issuing the show tech. However check out the attached xls which shows the actual commands that are being sent after issuing the show tech.

If I issue those commands separately (see attached notepad) they are in fact denied.

So this looks like a bug.

Regards

Correct Answer
ansalaza Tue, 04/14/2009 - 12:15

Do you have these authorization commands configured?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1 key cisco123

Debug aaa author should display:

AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'

AAA/AUTHOR/CMD (2846421758): send AV service=shell

AAA/AUTHOR/CMD (2846421758): send AV cmd=show

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=

AAA/AUTHOR/CMD (2846421758): found list "default"

AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2846421758): user=switchuser

AAA/AUTHOR/TAC+: (2846421758): send AV service=shell

AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=

TAC+: Using default tacacs server-group "tacacs+" list.

TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5

TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49

TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued

TAC+: (2846421758) AUTHOR/START processed

TAC+: (-1448545538): received author response status = FAIL

Make sure to modify the original ACS Shell Command Authorization...

deny tech-support instead of deny tech.

BINGO!!! That was it. Thanks ansalaza.

I had the following commands:

aaa authorization exec default group TACACS_ADMIN local if-authenticated

aaa authorization commands 15 default group TACACS_ADMIN if-authenticated

but not

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

Can you elaborate a little more on what those commands do and also what do I need the if-authenticated keyword, I still am not quite sure what exactly that does or if it is needed.

Thanks again.

Jagdeep Gambhir Tue, 04/14/2009 - 13:26

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.

Regards,

~JG

Jagdeep Gambhir Tue, 04/14/2009 - 13:57

No, it provides extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.

jg -

I am testing and I think you have it wrong. What I find is that if the TACACS server becomes unavailable an authenticated user has access to any commands. See for yourself.

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Port='tty1' list='' service=CMD

02:16:01: AAA/AUTHOR/CMD: tty1 (3085690506) user='temp'

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV service=shell

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd=show

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=running-config

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): found list "default"

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Method=TACACS_ADMIN (tacacs+)

02:16:01: AAA/AUTHOR/TAC+: (3085690506): user=temp

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV service=shell

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd=show

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=running-config

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=

02:16:11: AAA/AUTHOR (3085690506): Post authorization status = ERROR

02:16:11: tty1 AAA/AUTHOR/CMD (3085690506): Method=IF_AUTHEN

02:16:11: AAA/AUTHOR (3085690506): Post authorization status = PASS_ADD

Jagdeep Gambhir Wed, 04/15/2009 - 12:29

Yes, you are correct. I messed up here. If we use "if-authenticated" the user would be allowed to access the requested function provided the user has been authenticated successfully.

Sorry for the confusion here and thanks for correcting me.

Regards,

~JG

ansalaza Wed, 04/15/2009 - 05:25

There are three default command levels in IOS: 0, 1, and 15.

I beleive that "show tech-support" is not a level 15 command.

Check this Document ID: 13860 for a better explanation.

Hope this helps...

Jagdeep Gambhir Tue, 04/14/2009 - 13:14

So it seems that the device is not sending show tech command to ACS for authorization check.

Show tech is not listed in tacacs admin logs and nor in debugs aaa authorization.

Most likely a bug in IOS.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion