ā01-21-2010 04:14 AM - edited ā03-10-2019 04:54 PM
Hello
I have configured privilege 15 on ACS 4.2 (Tacacs + ) but when user connect to network devise he always receives only < mode
What can be a problem ?
On switch configured "aaa authorization commands 15 default group users local
ā01-21-2010 09:41 AM
Michael,
ACS settings is correct. You only need to replace the command authorization command with exec authorization on the switch..
aaa authorization exec default group tacacs local -------------------------(in case we have tacacs server)
aaa authorization exec default local --------------------------(if we have local user database)
HTH
Regards,
Jatin
Plz rate helpful posts-
ā01-25-2010 05:22 AM
Hi Thanks a lot for your response.
I have added : following commands on network device and it solved problem
aaa authorization commands 15 default group users local
aaa authorization commands 0 default group users local
aaa authorization commands 1 default group users local
i use privilege 15.
On this privilege i permit specific show commands only.
The rest commands have to be denied
Unfortunately "write" command on same profile works from some reason
ā01-25-2010 11:41 PM
Hi Thanks a lot for your response.
I have added : following commands on network device and it solved problem
aaa authorization commands 15 default group users local
aaa authorization commands 0 default group users local
aaa authorization commands 1 default group users local
i use privilege 15.
On this privilege i permit specific show commands only.
The rest commands have to be denied
Unfortunately "write" command on same profile works from some reason
Hi Michael,
Few configuration needs to be done once user get authenticated via ACS 4.2 and need to have following access to commands only,check out the below link for configuration in ACS 4.2 with cisco router authorization.
Hope to help !!
If helpful do rate the valauble post.
Ganesh.H
ā01-26-2010 01:52 AM
Hello Ganesh,
Thanks a lot for your response
I have configured on ACS following :
1.Priv 15
2.On shell i have permitted only matched commands. (Show commands and variants of show commands)
Other (unmatched) commands should be blocked
From some reason i able perform "Write" command.
Other serious commands are blocked (debug, conf t ,reload etc)
What can be my problem ?
Best Regards
ā01-26-2010 02:54 AM
Hi Michael.
Please provide me the screen shot of shell command authorization > command set.
If you only want to allow "Show" commands
This is what you should have on the ACS:
On the devices you should have below listed commands.
aaa new-model
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
HTH
Regards,
JK
Plz rate helpful posts-
ā01-26-2010 03:42 AM
Hello JK,
Thanks for response again.
On shell i have following rubrics :
Unmatched commands : show
Deny
Permit unmatched Arys : V
Permit run
Permit Inter
Again problem is only with Write command.
Other dangerous commands blocked
Only show run and show int are works
ā01-28-2010 02:07 AM
Hi
From your config I cant tell if you have unmatched commands permitted or denied. To start with have unmatched commands = deny. Any commands not explicitly permitted should then fail.
If you have unmatched commands or argument = deny, you then need to list those that are permitted, and vice versa. No point in setting unmatched = deny then listing some that are denied!
eg
unmatched cmds = deny, unmatched args = permit
permit show
permit ping
ā01-28-2010 07:15 AM
Hello
Thanks a lot for your response.
I have following :
show permit int
permit ver
write deny mem
deny .....
So other should be blocked (denied)
I have problem with Only "write" command
Other commands included (write memory and all other variants) are blocked successfully
Best Regards
ā01-29-2010 03:07 AM
You've not mentioned what the umatched args setting is, but Im assuming this
unmatched cmds = deny
permit cmd "write" (unmatched args = permit)
deny arg "mem"
deny arg "another"
This would deny "write mem" and "write another" but nothing else. Now remember that the command authorisation is case sensitive and not wildcarded, so if you entered the command "write memory" in would get authorised, as would "write".
Looking back at your original post you said the problem was that the "write" command was being authorised when it shouldnt. In that case the authorisation should be this
unmatched cmd = deny
permit cmd "show" (unmatched args = deny)
permit arg "a"
permit arg "b"
This is the correct profile to allow "show a" and "show b" ONLY - no other cmds will authorise. If they do there must be something else going on outside of ACS I suspect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide