Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2317
Views
0
Helpful
5
Replies

Authorization fail while using ACS with 5.0 software version

nagabhushana.k
Level 1
Level 1

‎11-26-2009 10:39 AM - edited ‎03-10-2019 04:49 PM

Hi All,

I am working on Cisco Secure ACS 1120 appliance running with 5.0 software version. I have encountered problems during "Authorization" process.

I have one Cisco 3560 switch which will be administered by different employees. My intention is to grant them access using different privilege levels, as I don't want them to get same privileges.

Hence I have created 2 users (for example: one user as “admin” and another as “executive”) in local database of ACS and provided them with different privilege levels using shell profiles.

The user "admin" is provided with privilege level 15 and user "executive" is provided with privilege level 8.

As I know, in any privilege level that is less than 15, we got to configure the commands that a user can execute in that particular privilege level. So, in ACS I have used the following path to grant user "executive" some commands which are not available by default.

The path followed to provide command authorization is: Policy elements > Authorization and Permissions > Device administration > Command sets.

First, I have created one command set by name TEST with "Grant-->Permit", then under "Command-->show" and under "Attributes-->running-configuration".

In Access Policies > Access Services > Default Device admin > Authorization > Customize. Here conditions to be met are

  • Identity      group
  • Device      type
  • Time      & Date

Additionally, shell profile and Command sets are also included as conditions to be met.

Configuration of Switch for AAA is as follows:

aaa new-model

aaa authentication login default group tacacs+ local 

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

tacacs-server host 192.168.1.2

tacacs-server key cisco

After doing all these, I have tried to login into switch using telnet and succeeded in authentication. Initially I was prompted for “Username” and then “Password”. After successful authentication, prompt changes to “Switch>”. Here I have issued a command “enable 8”, then provided enable password when prompted. After which prompt changes to Privilege EXEC mode (Switch#). In this mode, if I issue command “show run”, an error message “Command authorization failed” comes up.

If I use context based help as “show r?” it shows all other commands beginning with letter “r” except “running-configuration”.

Am I missing out something in the configuration? Please help me out in resolving this issue.

Thank you,

Bhushan

Labels:
0 Helpful
5 Replies 5

dcmgash
Cisco Employee
Cisco Employee

‎11-30-2009 11:01 AM

Hi Bhushan,

Do you see the command authorisation request in the ACS logs? That would determine whether the device was actually sending the command query to ACS, and if so, it should provide the first indication as to why the command authorisation failed.

0 Helpful

nagabhushana.k
Level 1
Level 1
In response to dcmgash

‎11-30-2009 08:40 PM

Hi Douglas,

Thank you for your reply. I really appreciate your patience as the post from me was quite lengthy.

I have missed out to post on the part of monitoring in ACS 5.0. After attempting to login to privilege level level less than 15, I have checked the logs in ACS, which provides an information as "The TACACS+ user requested a higher privilege lelvel than maximum privilege level configured in shell profile".

But, I have cross checked that the user is not requesting for higher privilege level than that is set.

For example, in shell profile, I have given the maximum privilege level that a user can access as 7 and I have logged into privilege level 7 using appropriate credentials and tried to enter the commands that are not allowed in that particular privilege level by default, but that are set using Command sets option in Policy Elements > Authorization and permissions > Device administration >command sets.

But, stilll not able to understand what am I missing out.

Regards,

Bhushan

0 Helpful

vigyu1975
Level 1
Level 1
In response to nagabhushana.k

‎12-01-2009 06:19 AM

Hi nagabhushana.k!

I have a similar problem. In my current settings I can login to my switch and jump to enable 15. I have 2 user with different command sets on this 15 priv level.The first user has full access to all commands and the second user has only "sh*" commands. I tried to use different priv level but I could't set this scenario. Can you share me how did you set this different ena level in your network device and ACS 5.0?

My ACS settings are the following:

Users and Identity Stores >  Identity Groups

     Groups:ro_grps - read only groups

     Groups:rw_grps - read write groups

Users and Identity Stores >  Internal Identity Stores >  Users

     admin.ro - read only user

     admin.rw - read write user

Policy Elements >  Authorization and Permissions  >  Device Administration >  Command Sets

     rw.command - grant -> permit * - read write rights

     ro.command - granr -> permit sh* - read rights

Access Policies >  Access Services >  Default Device Admin >  Authorization

     Rule-1, Groups:ro_grps; NDG:all devices, Command sets: ro.command, Shell: Permit Access

     Rule-2, Groups:rw_grps; NDG:all devices, Command sets: rw.command, Shell: Permit Access

My switch settings:

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login NO_PASS none
aaa authorization exec default group tacacs+
aaa authorization exec NO_Authorization none
aaa authorization commands 15 default group tacacs+

tacacs-server host MY_ACS_IP
tacacs-server directed-request
tacacs-server key 7 MY_PASSWORD

Regards,

Gyuri

0 Helpful

nagabhushana.k
Level 1
Level 1
In response to vigyu1975

‎12-01-2009 08:59 PM

Hi,

The configuration done on ACS and the switch seems to be similar what I have done in my case. Even I am strucked up at the same position.

It would be my pleasure to share the information with you, provided it works.

Regards,

Bhushan

0 Helpful

dcmgash
Cisco Employee
Cisco Employee
In response to nagabhushana.k

‎12-07-2009 03:16 AM

Hi,

"For example, in shell profile, I have given the maximum privilege level that a user can access as 7 and I have logged into privilege level 7 using appropriate credentials and tried to enter the commands that are not allowed in that particular privilege level by default, but that are set using Command sets option in Policy Elements > Authorization and permissions > Device administration >command sets."

Hi, this description suggests trying to use command sets as an alternative to the privilege levels. However, the privilege levels are checked before AAA per-command authorisation is invoked. I think you'd need to ensure that the privilege level of the session (either through intiial login, or enable authentication to change priv level) is sufficient for the commands to be used, and Command Author can then be used to filter the commands further.

Regards,

Doug

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents