How assign privelege enable

Unanswered Question
Jan 21st, 2010

Hello

I have configured privilege 15 on ACS 4.2 (Tacacs + ) but when user connect to network devise he always receives only < mode

What can be a problem  ?

On switch configured "aaa authorization commands 15 default group users  local

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Thu, 01/21/2010 - 09:41

Michael,


ACS settings is correct. You only need to replace the command authorization command with exec authorization on the switch..


aaa authorization exec default group tacacs local -------------------------(in case we have tacacs server)

aaa authorization exec default local                    --------------------------(if we have local user database)


HTH


Regards,

Jatin


Plz rate helpful posts-

michaelreidman Mon, 01/25/2010 - 05:22

Hi Thanks a lot for your response.

I have added : following commands on network device and it solved problem

                            aaa authorization commands 15 default group users local

                            aaa authorization commands 0 default  group users local

                    aaa authorization commands 1 default  group users local

i use privilege 15.

On this privilege i permit specific show commands only.

The rest commands have to be denied

Unfortunately "write" command on same profile works from some reason

Ganesh Hariharan Mon, 01/25/2010 - 23:41

Hi Thanks a lot for your response.

I have added : following commands on network device and it solved problem

                            aaa authorization commands 15 default group users local

                            aaa authorization commands 0 default  group users local

                    aaa authorization commands 1 default  group users local

i use privilege 15.

On this privilege i permit specific show commands only.

The rest commands have to be denied

Unfortunately "write" command on same profile works from some reason

Hi Michael,

Few configuration needs to be done once user get authenticated via ACS 4.2 and need to have following access to commands only,check out the below link for configuration in ACS 4.2 with cisco router authorization.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html#wp676420

Hope to help !!

If helpful do rate the valauble post.

Ganesh.H

michaelreidman Tue, 01/26/2010 - 01:52

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"טבלה רגילה"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello Ganesh,

Thanks a lot for your response

I have configured on ACS following :

1.Priv 15

2.On shell i have permitted only matched commands. (Show commands and variants of show commands)

Other (unmatched) commands should be blocked

From some reason i able perform "Write" command.

Other serious commands are blocked (debug, conf t ,reload etc)

What can be my problem ?

Best Regards

Jatin Katyal Tue, 01/26/2010 - 02:54

Hi Michael.


Please provide me the screen shot of shell command authorization > command set.


If you only want to allow "Show" commands


This is what you should have on the ACS:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2


On the devices you should have below listed commands.

aaa new-model

aaa authorization commands 0 default  group tacacs+ local

aaa authorization commands 1 default  group tacacs+ local

aaa authorization commands 15 default group tacacs+ local


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#rou

HTH


Regards,

JK


Plz rate helpful posts-

michaelreidman Tue, 01/26/2010 - 03:42

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"טבלה רגילה"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello JK,

Thanks for response again.

On shell i have following rubrics :

Unmatched commands : show

Deny

Permit unmatched Arys : V

Permit run

Permit Inter

Again problem is only with Write command.

Other dangerous commands blocked

Only show run and show int are works

darpotter Thu, 01/28/2010 - 02:07

Hi

From your config I cant tell if you have unmatched commands permitted or denied. To start with have unmatched commands = deny. Any commands not explicitly permitted should then fail.

If you have unmatched commands or argument = deny, you then need to list those that are permitted, and vice versa. No point in setting unmatched = deny then listing some that are denied!

eg

unmatched cmds = deny, unmatched args = permit

permit show

permit ping

michaelreidman Thu, 01/28/2010 - 07:15

Hello

Thanks a lot for your response.

I have following :

show permit int

          permit ver

write  deny mem

          deny .....

So other should be blocked (denied)

I have problem with Only "write" command

Other commands included (write memory and all other variants) are blocked successfully

Best Regards

darpotter Fri, 01/29/2010 - 03:07

You've not mentioned what the umatched args setting is, but Im assuming this

unmatched cmds = deny

permit cmd "write" (unmatched args = permit)

     deny arg "mem"

     deny arg "another"

This would deny "write mem" and "write another" but nothing else. Now remember that the command authorisation is case sensitive and not wildcarded, so if you entered the command "write memory" in would get authorised, as would "write".

Looking back at your original post you said the problem was that the "write" command was being authorised when it shouldnt. In that case the authorisation should be this

unmatched cmd = deny

permit cmd "show" (unmatched args = deny)

     permit arg "a"

     permit arg "b"

This is the correct profile to allow "show a" and "show b" ONLY - no other cmds will authorise. If they do there must be something else going on outside of ACS I suspect.

Actions

This Discussion