Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2666
Views
0
Helpful
5
Replies

Command Sets not working on ACS 5.1

Go to solution
adam benigar
Level 1
Level 1

‎08-12-2010 11:17 AM - edited ‎03-10-2019 05:19 PM

I'm running ACS 5-1-0-44-3.

I have everything running properly on ACS 5.1.  I'd like to implement command sets for selected users and groups.  Under Access Policies -> Device Admin-> Authorization I have Command Sets selected.  The cisco provided is DenyAllCommands.  I have this command set running on all groups and every groups is still able to issue any command they wish.  I've also created a "show_only" command set that I've issued one group and they are still able to do conf t or any other command.

Am I missing something?

Do you need to reference the command set name under the shell profiles?

Its my understanding that all you have to do is reference it in "Authorization" in the rules under Device Admin.

I can understand a custom command set not working because of user error but DenyAllCommands should work.

Anyone have any ideas?

I have already re-patched the ACS

Stopped and started services.

And it seems like Command Sets is the only not referenced in the logs

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Przemyslaw Konitz
Level 1
Level 1

‎08-13-2010 05:20 AM

paste AAA config from your router and check in aaa tacacs+ authorization whether commands are verified and so on.

regards

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Przemyslaw Konitz
Level 1
Level 1

‎08-13-2010 05:20 AM

paste AAA config from your router and check in aaa tacacs+ authorization whether commands are verified and so on.

regards

0 Helpful

Go to solution
adam benigar
Level 1
Level 1
In response to Przemyslaw Konitz

‎08-17-2010 06:10 AM

I am able now to deny/permit certain commands like show, conf t, etc.  Basically any command following #.  I'm now having a problem denying command after conf t.  I want to allow access to the fastethernet interfaces but deny serial interfaces.

If I DENY "interface" under the Command column it doesn't work.  I can still access all interfaces.

0 Helpful

Go to solution
adam benigar
Level 1
Level 1
In response to adam benigar

‎08-17-2010 06:37 AM

Got it working.

I was missing the "aaa authorization config-commands" command on the router.

Thanks for yout help

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to adam benigar

‎08-17-2010 06:56 AM

I do it a lot 

could you paste screnshot of your command set?

I've recently met another issue,

with my command set definition as below (as you can see its very simple):

almost every show is blocked (as suspected) but not "show run" (which is strange for me)

0 Helpful

Go to solution
adam benigar
Level 1
Level 1
In response to Przemyslaw Konitz

‎08-17-2010 07:07 AM

I've got it working like a charm now.  I'm not sure if you saw my previous post.  I was missing the command "aaa authorization config-commands" on my routers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents