Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
0
Helpful
7
Replies

Shell Command Authorization

admin_2
Level 3
Level 3

‎09-02-2009 01:07 PM - edited ‎03-10-2019 04:40 PM

Recently, a couple of our help desk people were asking for access to some of our branch network equipment so that they can look at interface counters, etc. for troubleshooting without escalating to the engineers. I agreed that it would be okay to give access to commands such as, “show ip interface brief”, “show interface”, and “clear counters”. I want to deny commands such as “show running-config” and “configure”.

I have setup shell command authorization in every possible way (user level, group level, creating shell command authorization sets, per NDG etc.) and I cannot get them to work. I have read through many docs on CiscoÂ’s website and IÂ’m still unable to get this to work. I suspect there may be some AAA settings on the devices that may be overriding the ACS settings, but IÂ’m not sure. IÂ’m relatively new at configuring ACS and IÂ’ve run out of ideas. Any suggestions?

Labels:
0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎09-02-2009 03:13 PM

Something more simpler.

Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1170533

0 Helpful

nsn-amagruder
Level 5
Level 5

‎09-02-2009 06:29 PM

Look at the authentication/authorization logs in the ACS and it will give you a better idea of what the issues is. You are definently on the right track. Per Group Level is the best idea. Not sure if you are mapping back to an AD Group or using seperate ID's on the ACS.

The other option is to give them access to a network management system that will show them the current status of the device, errors in the last 5 minutes through the last x days,months, years, events, snmp traps etc.

Solarwinds is a good product for this.

Let us know what the ACS logs show, what shell commands you have set, NDG, Shared Resources and group settings you have set.

Aaron Magruder

NonStop Networks, LLC

http://www.nonstopnetworks.net

0 Helpful

Not applicable
In response to nsn-amagruder

‎09-03-2009 04:26 AM

The TACACS+ Accounting log shows me the date & time my test account authenticated, what group it belongs to, from what IP, the session starting & stopping, & the elapsed time. The TACACS+ Administration log show what commands were issued. What other logs do you suggest I look at?

They do have access to solarwinds for monitoring and this does provide a wealth of information.

I am going to start from scratch - new router with a blank config, new ACS group and test user.

Thanks for your help!

0 Helpful

nsn-amagruder
Level 5
Level 5
In response to

‎09-03-2009 04:37 AM

I'm not sure if the login or commands were failing at the network device. May it fail, then check the failed attempts log. This log usually points directly to the issue.

0 Helpful

Not applicable
In response to nsn-amagruder

‎09-03-2009 05:12 AM

Thanks! The problem is I am unable to restrict specific commands using the shell command authorization. The test account can authenticate, enter privileged mode and run all commands. No matter how I setup shell command authorization, I cannot get it to deny any commands.

0 Helpful

nsn-amagruder
Level 5
Level 5
In response to

‎09-03-2009 05:43 AM

Gotcha...Under the Group, what shell privilege level is check or entered under the shell section? I believe you can also set the shell command sets in this section. Set the privelege level to 1. I don't have access to one at the moment, but I believe their is a drop down menue and a place to check a box privilege level and type 1.

In the passed authentication log, are the users getting mapped to the group you are setting the rights on?

Try setting the command authorization to none just to verify that the group can no longer do anything.

To prevent the application of any shell command-authorization set, select (or accept the default of) the None option.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/g.html#wp480029

command sets

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wp697557

0 Helpful

Not applicable
In response to nsn-amagruder

‎09-03-2009 12:01 PM

privilege is 1

I've checked the authentication logs, and my test user is getting mapped to the correct group.

I changed the shell command authorization to "none" and it still allowed me to issue commands. There has to be something else that is over riding this. I just can't find it yet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents