As I see the "Command denied" in Failed Attempts report

Unanswered Question
Nov 13th, 2009
User Badges:

Hello.


In Failed Attempts report, under "Author-Failure-Code" I get "Command denied". Is there any way to record the commands that the user wanted to enter?


Thanks!.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Fri, 11/13/2009 - 10:39
User Badges:
  • Cisco Employee,

Hi kevin,


What command are you trying to execute?


Do you have accounting enabled on the devices? If yes, then look under the tacacs administration logs and copy the command that is not working.


Looks like the command you are trying to execute is not allowed under the command set.


Configuration example:

======================


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


HTH


JK


Plz rate helpful posts-

Kevin Morales Fri, 11/13/2009 - 12:27
User Badges:

Thanks for your reply. I Shell Command Authorization Sets configured to only allow commands: show, ping, traceroute.

when a user executes a command that is not possible in the Failed Attempts report log is generated "Command denied", as I know which command the user try to run?

Jagdeep Gambhir Sat, 11/14/2009 - 07:34
User Badges:
  • Red, 2250 points or more

Kevin,

You should see something like this in the

failed attempts:


Command denied service=shell cmd=interface FastEthernet 0 21


By this we can see that the argument that is being sent by the switch command parser is actually 'FastEthernet 0 21'


So user tried to execute command " interface FastEthernet 0\21.




Regards,

~JG


Do rate helpful post.

Kevin Morales Sat, 11/14/2009 - 08:39
User Badges:

Thanks for responding.


failed in the report do not show me the Command denied . attached configuration.


I am using

CiscoSecure ACS

Release 4.2(0) Build 124 Patch 13


***Tacacs+ Configuration

aaa new-model

aaa authentication attempts login 1

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server directed-request

tacacs-server key Presharedciscoxx

tacacs-server host 192.168.1.10

ip tacacs source-interface Loopback0

aaa authorization commands 15 default group tacacs+ if-authenticated



Attachment: 
Kevin Morales Mon, 11/16/2009 - 07:01
User Badges:

Greetings.

had an error in the configuration of the report, had not enabled the option Author-Date .. thanks for your help! ..

Actions

This Discussion