How assign privelege enable

Unanswered Question
Jan 21st, 2010
User Badges:

Hello

I have configured privilege 15 on ACS 4.2 (Tacacs + ) but when user connect to network devise he always receives only < mode

What can be a problem  ?


On switch configured "aaa authorization commands 15 default group users  local

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Thu, 01/21/2010 - 09:41
User Badges:
  • Cisco Employee,

Michael,


ACS settings is correct. You only need to replace the command authorization command with exec authorization on the switch..


aaa authorization exec default group tacacs local -------------------------(in case we have tacacs server)

aaa authorization exec default local                    --------------------------(if we have local user database)


HTH


Regards,

Jatin


Plz rate helpful posts-

michaelreidman Mon, 01/25/2010 - 05:22
User Badges:

Hi Thanks a lot for your response.

I have added : following commands on network device and it solved problem


                            aaa authorization commands 15 default group users local

                            aaa authorization commands 0 default  group users local

                    aaa authorization commands 1 default  group users local


i use privilege 15.

On this privilege i permit specific show commands only.

The rest commands have to be denied

Unfortunately "write" command on same profile works from some reason


Ganesh Hariharan Mon, 01/25/2010 - 23:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Thanks a lot for your response.

I have added : following commands on network device and it solved problem


                            aaa authorization commands 15 default group users local

                            aaa authorization commands 0 default  group users local

                    aaa authorization commands 1 default  group users local


i use privilege 15.

On this privilege i permit specific show commands only.

The rest commands have to be denied

Unfortunately "write" command on same profile works from some reason




Hi Michael,


Few configuration needs to be done once user get authenticated via ACS 4.2 and need to have following access to commands only,check out the below link for configuration in ACS 4.2 with cisco router authorization.



http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html#wp676420


Hope to help !!


If helpful do rate the valauble post.


Ganesh.H

michaelreidman Tue, 01/26/2010 - 01:52
User Badges:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"טבלה רגילה"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello Ganesh,


Thanks a lot for your response


I have configured on ACS following :


1.Priv 15

2.On shell i have permitted only matched commands. (Show commands and variants of show commands)

Other (unmatched) commands should be blocked


From some reason i able perform "Write" command.

Other serious commands are blocked (debug, conf t ,reload etc)



What can be my problem ?


Best Regards

Jatin Katyal Tue, 01/26/2010 - 02:54
User Badges:
  • Cisco Employee,

Hi Michael.


Please provide me the screen shot of shell command authorization > command set.


If you only want to allow "Show" commands


This is what you should have on the ACS:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2


On the devices you should have below listed commands.


aaa new-model

aaa authorization commands 0 default  group tacacs+ local

aaa authorization commands 1 default  group tacacs+ local

aaa authorization commands 15 default group tacacs+ local


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#rou


HTH


Regards,

JK


Plz rate helpful posts-

michaelreidman Tue, 01/26/2010 - 03:42
User Badges:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"טבלה רגילה"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello JK,

Thanks for response again.


On shell i have following rubrics :


Unmatched commands : show


Deny


Permit unmatched Arys : V


Permit run

Permit Inter


Again problem is only with Write command.

Other dangerous commands blocked

Only show run and show int are works

darpotter Thu, 01/28/2010 - 02:07
User Badges:
  • Silver, 250 points or more

Hi


From your config I cant tell if you have unmatched commands permitted or denied. To start with have unmatched commands = deny. Any commands not explicitly permitted should then fail.



If you have unmatched commands or argument = deny, you then need to list those that are permitted, and vice versa. No point in setting unmatched = deny then listing some that are denied!


eg


unmatched cmds = deny, unmatched args = permit

permit show

permit ping

michaelreidman Thu, 01/28/2010 - 07:15
User Badges:

Hello

Thanks a lot for your response.

I have following :

show permit int

          permit ver

write  deny mem

          deny .....

So other should be blocked (denied)

I have problem with Only "write" command

Other commands included (write memory and all other variants) are blocked successfully

Best Regards

darpotter Fri, 01/29/2010 - 03:07
User Badges:
  • Silver, 250 points or more

You've not mentioned what the umatched args setting is, but Im assuming this


unmatched cmds = deny


permit cmd "write" (unmatched args = permit)

     deny arg "mem"

     deny arg "another"


This would deny "write mem" and "write another" but nothing else. Now remember that the command authorisation is case sensitive and not wildcarded, so if you entered the command "write memory" in would get authorised, as would "write".


Looking back at your original post you said the problem was that the "write" command was being authorised when it shouldnt. In that case the authorisation should be this


unmatched cmd = deny

permit cmd "show" (unmatched args = deny)

     permit arg "a"

     permit arg "b"


This is the correct profile to allow "show a" and "show b" ONLY - no other cmds will authorise. If they do there must be something else going on outside of ACS I suspect.

Actions

This Discussion