As I see the "Command denied" in Failed Attempts report

Unanswered Question
Nov 13th, 2009

Hello.

In Failed Attempts report, under "Author-Failure-Code" I get "Command denied". Is there any way to record the commands that the user wanted to enter?

Thanks!.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Fri, 11/13/2009 - 10:39

Hi kevin,

What command are you trying to execute?

Do you have accounting enabled on the devices? If yes, then look under the tacacs administration logs and copy the command that is not working.

Looks like the command you are trying to execute is not allowed under the command set.

Configuration example:

======================

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

HTH

JK

Plz rate helpful posts-

Kevin Morales Fri, 11/13/2009 - 12:27

Thanks for your reply. I Shell Command Authorization Sets configured to only allow commands: show, ping, traceroute.

when a user executes a command that is not possible in the Failed Attempts report log is generated "Command denied", as I know which command the user try to run?

Jagdeep Gambhir Sat, 11/14/2009 - 07:34

Kevin,

You should see something like this in the

failed attempts:

Command denied service=shell cmd=interface FastEthernet 0 21

By this we can see that the argument that is being sent by the switch command parser is actually 'FastEthernet 0 21'

So user tried to execute command " interface FastEthernet 0\21.

Regards,

~JG

Do rate helpful post.

Kevin Morales Sat, 11/14/2009 - 08:39

Thanks for responding.

failed in the report do not show me the Command denied . attached configuration.

I am using

CiscoSecure ACS

Release 4.2(0) Build 124 Patch 13

***Tacacs+ Configuration

aaa new-model

aaa authentication attempts login 1

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server directed-request

tacacs-server key Presharedciscoxx

tacacs-server host 192.168.1.10

ip tacacs source-interface Loopback0

aaa authorization commands 15 default group tacacs+ if-authenticated

Attachment: 
Kevin Morales Mon, 11/16/2009 - 07:01

Greetings.

had an error in the configuration of the report, had not enabled the option Author-Date .. thanks for your help! ..

Actions

This Discussion