cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1487
Views
5
Helpful
12
Replies

Using ACS to deny show tech-support

junpati
Level 1
Level 1

I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?

1 Accepted Solution

Accepted Solutions

Do you have these authorization commands configured?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1 key cisco123

Debug aaa author should display:

AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'

AAA/AUTHOR/CMD (2846421758): send AV service=shell

AAA/AUTHOR/CMD (2846421758): send AV cmd=show

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=

AAA/AUTHOR/CMD (2846421758): found list "default"

AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2846421758): user=switchuser

AAA/AUTHOR/TAC+: (2846421758): send AV service=shell

AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=

TAC+: Using default tacacs server-group "tacacs+" list.

TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5

TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49

TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued

TAC+: (2846421758) AUTHOR/START processed

TAC+: (-1448545538): received author response status = FAIL

Make sure to modify the original ACS Shell Command Authorization...

deny tech-support instead of deny tech.

View solution in original post

12 Replies 12

Ivan Martinon
Level 7
Level 7

Does it fail too if you complete the argument?

command=show

argument=tech-support

Jagdeep Gambhir
Level 10
Level 10

Do you see any hits on acs failed attempts when show tech command fails?

Also check debug aaa authorization output and see if the device is sending show tech to ACS for authorization. It could be due to bug where in some commands are not sent to tacacs server for authorization check.

Regards,

~JG

Do rate helpful posts

JG,

No hits on the failed attempts.

There is no output from the debug when issuing the show tech. However check out the attached xls which shows the actual commands that are being sent after issuing the show tech.

If I issue those commands separately (see attached notepad) they are in fact denied.

So this looks like a bug.

Regards

Do you have these authorization commands configured?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1 key cisco123

Debug aaa author should display:

AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'

AAA/AUTHOR/CMD (2846421758): send AV service=shell

AAA/AUTHOR/CMD (2846421758): send AV cmd=show

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=

AAA/AUTHOR/CMD (2846421758): found list "default"

AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2846421758): user=switchuser

AAA/AUTHOR/TAC+: (2846421758): send AV service=shell

AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=

TAC+: Using default tacacs server-group "tacacs+" list.

TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5

TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49

TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued

TAC+: (2846421758) AUTHOR/START processed

TAC+: (-1448545538): received author response status = FAIL

Make sure to modify the original ACS Shell Command Authorization...

deny tech-support instead of deny tech.

BINGO!!! That was it. Thanks ansalaza.

I had the following commands:

aaa authorization exec default group TACACS_ADMIN local if-authenticated

aaa authorization commands 15 default group TACACS_ADMIN if-authenticated

but not

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

Can you elaborate a little more on what those commands do and also what do I need the if-authenticated keyword, I still am not quite sure what exactly that does or if it is needed.

Thanks again.

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.

Regards,

~JG

So are you saying that the if-authenticated keyword essentially bypasses command authorization and as long as a user is able to authenticate they can use all commands?

No, it provides extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.

jg -

I am testing and I think you have it wrong. What I find is that if the TACACS server becomes unavailable an authenticated user has access to any commands. See for yourself.

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Port='tty1' list='' service=CMD

02:16:01: AAA/AUTHOR/CMD: tty1 (3085690506) user='temp'

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV service=shell

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd=show

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=running-config

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): found list "default"

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Method=TACACS_ADMIN (tacacs+)

02:16:01: AAA/AUTHOR/TAC+: (3085690506): user=temp

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV service=shell

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd=show

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=running-config

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=

02:16:11: AAA/AUTHOR (3085690506): Post authorization status = ERROR

02:16:11: tty1 AAA/AUTHOR/CMD (3085690506): Method=IF_AUTHEN

02:16:11: AAA/AUTHOR (3085690506): Post authorization status = PASS_ADD

Yes, you are correct. I messed up here. If we use "if-authenticated" the user would be allowed to access the requested function provided the user has been authenticated successfully.

Sorry for the confusion here and thanks for correcting me.

Regards,

~JG

There are three default command levels in IOS: 0, 1, and 15.

I beleive that "show tech-support" is not a level 15 command.

Check this Document ID: 13860 for a better explanation.

Hope this helps...

So it seems that the device is not sending show tech command to ACS for authorization check.

Show tech is not listed in tacacs admin logs and nor in debugs aaa authorization.

Most likely a bug in IOS.

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: