09-02-2009 01:07 PM - edited 03-10-2019 04:40 PM
Recently, a couple of our help desk people were asking for access to some of our branch network equipment so that they can look at interface counters, etc. for troubleshooting without escalating to the engineers. I agreed that it would be okay to give access to commands such as, Âshow ip interface briefÂ, Âshow interfaceÂ, and Âclear countersÂ. I want to deny commands such as Âshow running-config and ÂconfigureÂ.
I have setup shell command authorization in every possible way (user level, group level, creating shell command authorization sets, per NDG etc.) and I cannot get them to work. I have read through many docs on CiscoÂs website and IÂm still unable to get this to work. I suspect there may be some AAA settings on the devices that may be overriding the ACS settings, but IÂm not sure. IÂm relatively new at configuring ACS and IÂve run out of ideas. Any suggestions?
09-02-2009 03:13 PM
Something more simpler.
Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices
09-02-2009 06:29 PM
Look at the authentication/authorization logs in the ACS and it will give you a better idea of what the issues is. You are definently on the right track. Per Group Level is the best idea. Not sure if you are mapping back to an AD Group or using seperate ID's on the ACS.
The other option is to give them access to a network management system that will show them the current status of the device, errors in the last 5 minutes through the last x days,months, years, events, snmp traps etc.
Solarwinds is a good product for this.
Let us know what the ACS logs show, what shell commands you have set, NDG, Shared Resources and group settings you have set.
Aaron Magruder
NonStop Networks, LLC
09-03-2009 04:26 AM
The TACACS+ Accounting log shows me the date & time my test account authenticated, what group it belongs to, from what IP, the session starting & stopping, & the elapsed time. The TACACS+ Administration log show what commands were issued. What other logs do you suggest I look at?
They do have access to solarwinds for monitoring and this does provide a wealth of information.
I am going to start from scratch - new router with a blank config, new ACS group and test user.
Thanks for your help!
09-03-2009 04:37 AM
I'm not sure if the login or commands were failing at the network device. May it fail, then check the failed attempts log. This log usually points directly to the issue.
09-03-2009 05:12 AM
Thanks! The problem is I am unable to restrict specific commands using the shell command authorization. The test account can authenticate, enter privileged mode and run all commands. No matter how I setup shell command authorization, I cannot get it to deny any commands.
09-03-2009 05:43 AM
Gotcha...Under the Group, what shell privilege level is check or entered under the shell section? I believe you can also set the shell command sets in this section. Set the privelege level to 1. I don't have access to one at the moment, but I believe their is a drop down menue and a place to check a box privilege level and type 1.
In the passed authentication log, are the users getting mapped to the group you are setting the rights on?
Try setting the command authorization to none just to verify that the group can no longer do anything.
To prevent the application of any shell command-authorization set, select (or accept the default of) the None option.
command sets
09-03-2009 12:01 PM
privilege is 1
I've checked the authentication logs, and my test user is getting mapped to the correct group.
I changed the shell command authorization to "none" and it still allowed me to issue commands. There has to be something else that is over riding this. I just can't find it yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide