Shell Command Authorization

Unanswered Question
Sep 2nd, 2009

Recently, a couple of our help desk people were asking for access to some of our branch network equipment so that they can look at interface counters, etc. for troubleshooting without escalating to the engineers. I agreed that it would be okay to give access to commands such as, “show ip interface brief”, “show interface”, and “clear counters”. I want to deny commands such as “show running-config” and “configure”.

I have setup shell command authorization in every possible way (user level, group level, creating shell command authorization sets, per NDG etc.) and I cannot get them to work. I have read through many docs on Cisco’s website and I’m still unable to get this to work. I suspect there may be some AAA settings on the devices that may be overriding the ACS settings, but I’m not sure. I’m relatively new at configuring ACS and I’ve run out of ideas. Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nsn-amagruder Wed, 09/02/2009 - 18:29

Look at the authentication/authorization logs in the ACS and it will give you a better idea of what the issues is. You are definently on the right track. Per Group Level is the best idea. Not sure if you are mapping back to an AD Group or using seperate ID's on the ACS.

The other option is to give them access to a network management system that will show them the current status of the device, errors in the last 5 minutes through the last x days,months, years, events, snmp traps etc.

Solarwinds is a good product for this.

Let us know what the ACS logs show, what shell commands you have set, NDG, Shared Resources and group settings you have set.

Aaron Magruder

NonStop Networks, LLC

http://www.nonstopnetworks.net

Anonymous (not verified) Thu, 09/03/2009 - 04:26

The TACACS+ Accounting log shows me the date & time my test account authenticated, what group it belongs to, from what IP, the session starting & stopping, & the elapsed time. The TACACS+ Administration log show what commands were issued. What other logs do you suggest I look at?

They do have access to solarwinds for monitoring and this does provide a wealth of information.

I am going to start from scratch - new router with a blank config, new ACS group and test user.

Thanks for your help!

nsn-amagruder Thu, 09/03/2009 - 04:37

I'm not sure if the login or commands were failing at the network device. May it fail, then check the failed attempts log. This log usually points directly to the issue.

Anonymous (not verified) Thu, 09/03/2009 - 05:12

Thanks! The problem is I am unable to restrict specific commands using the shell command authorization. The test account can authenticate, enter privileged mode and run all commands. No matter how I setup shell command authorization, I cannot get it to deny any commands.

nsn-amagruder Thu, 09/03/2009 - 05:43

Gotcha...Under the Group, what shell privilege level is check or entered under the shell section? I believe you can also set the shell command sets in this section. Set the privelege level to 1. I don't have access to one at the moment, but I believe their is a drop down menue and a place to check a box privilege level and type 1.

In the passed authentication log, are the users getting mapped to the group you are setting the rights on?

Try setting the command authorization to none just to verify that the group can no longer do anything.

To prevent the application of any shell command-authorization set, select (or accept the default of) the None option.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/g.html#wp480029

command sets

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wp697557

Anonymous (not verified) Thu, 09/03/2009 - 12:01

privilege is 1

I've checked the authentication logs, and my test user is getting mapped to the correct group.

I changed the shell command authorization to "none" and it still allowed me to issue commands. There has to be something else that is over riding this. I just can't find it yet.

Actions

This Discussion