06-06-2007 04:17 AM - edited 03-10-2019 03:11 PM
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
!
!
aaa group server tacacs+ ACS
server 10.90.0.11
!
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
!
tacacs-server host 10.90.0.11 key cisco
!
!
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
!
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?
Solved! Go to Solution.
06-06-2007 04:38 AM
Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
-------------------------------------------
Follow the following steps over the router:
-------------------------------------------
!---
!---
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
--------------------
Configuration on ACS
--------------------
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
-----------------------------------------------
------------------------Permit unmatched Args--
-----------------------------------------------
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
------------------------------------------------
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...)
06-06-2007 04:38 AM
Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
-------------------------------------------
Follow the following steps over the router:
-------------------------------------------
!---
!---
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
--------------------
Configuration on ACS
--------------------
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
-----------------------------------------------
------------------------Permit unmatched Args--
-----------------------------------------------
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
------------------------------------------------
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...)
06-06-2007 04:39 AM
(cont...)
[4] From 'Jump To' menu, select 'TACACS+'.
[5] Mark a check over 'Shell(exec)' & 'Privilege level' with privilage level value equal to '15'.
[6] In 'Shell Command Authorization Set', check 'Assign a Shell Command Authorization Set for any network device' and from drop down menu select the authorization set to be applied to the group.
[7] Press 'Submit + Restart'.
###############################
Adding the TACACS+ AAA Client :
###############################
[Step 1] Select Network Configuration .
Note : If you are using Network Device Groups (NDGs), you must also click the name of the NDG that you want to add the AAA client entry to.
[Step 2] Under the AAA Clients table, select Add Entry .
The Add AAA Client page appears.
[Step 3] Configure the boxes, list, and check boxes on the Add AAA Client page as follows:
?AAA Client Hostname ?Type the hostname plus the AAA protocol, router01-tacacs.
?AAA Client IP Address ?The IP address of interface of the router from which CiscoSecure ACS will receive RADIUS requests.
?Key ?The same key specified on the router for the TACACS+ server.
?Authenticate Using ?Select TACACS+ (Cisco IOS) .
[Step 4] Select "Submit + Restart".
To see how exactly the commands are seen by ACS, as we have turned on command accounting, we can go to :
Reports and Activity > TACACS Administration and TACACS Accounting
And you'll be able to see how extacly the commands are being seen by ACS, and accordingly we can configure Shell command authorization set.
Try this and let me know.
Regards,
Prem
06-06-2007 04:52 AM
Hi Prem,
Thanks a lot for your reply.
I have tried my config originally also withouth the local command statements.
However, I will try again with the above information you posted, if I dont get to do it today i will try in the morning and get back to you with results.
Thanks again,
Ian.
06-06-2007 08:23 AM
Hi Prem,
We have tried that setup on the ACS 4.x now. Still giving problems though!
We reverted the router config back to normal priv levels and started with a blank config and entered in what you recommended.
Logging into the router via ACS with priv 15 set as an unrestricted Command Shell set works fine, However we could always get this to work fine, its when we start restricting access we have problems.
I setup the router exactly as you said and set the ACS up with the following shell to provide a restricted priv 15 login:
Unmatched Commands Marked as Deny
1st Command Box
===============
configure
disable
enable
exit
interface
login
logout
show
2nd Command Box
===============
permit terminal
permit vlan1 (also tried permit vlan permit 1)
permit running-config
permit ip route
permit ip interface brief
When we log in under this setting the access levels are restricted, but they do not behave as expected. For example in the above setup I can logon to the Router, enter show ip route and it will work fine. I can then enter a different show command and i will get
If I look at the ACS TACACS+ Admin, I can see all the commands which I could sucessfully enter, but exit or disable is not shown there at all?
While in config mode if I enter in:
"interface vlan1" I also get
We can get these setups to work perfectly on the local routers and switches, but we wanted the ACS to do it for the entire setup to save having to enter the privilege commands on all systems. But the ACS 4.x seems to be behaving strange with the Shell sets??
If you have any other ideas on this issue, we would be very greatful.
Thanks,
Ian.
06-06-2007 08:31 AM
Hi,
Actually ACS is not behaving strange, we need to understand how ACS parses commands.
The commands that you are not able to enter will show up in Failed Attempts.
And do this,
exit--------permit
disable-----permit
For interface vlan1,
interface-----permit Vlan 1
Notice the upper case V, its case sensitive.
Try this.
Another way to see how exactly ACS parses a command. With the account that has full privileges, type that command that you want to restrict and see it in Tacacs Administration logs.
Regards,
Prem
06-07-2007 02:55 AM
Hi Prem,
We seem to be getting somewhere with this now!
I did have the Capital letter in place for Vlan 1 but the command sequence I had in was like this:
interface-----permit Vlan1
The failed parse command showed "interface Vlan 1" so I changed the shell to:
interface-----permit Vlan 1
This command now works.
So where we are at now is that we have 2 shell sets on the ACS, one is for unrestricted usage, and the other is for restricted usage. Each Shell Set is assigned to a different Group and seems to be working fine.
However, there still seems to be an issue with the single word commands, getting them to work e.g. (exit, disable,) etc.
If I put in the command:
exit-------permit
I get the following error when I press submit:
Argument Line for Command exit is not in the correct format :-
permit
The correct format is
However, If I enter the following command:
exit-----permit
The ACS accepts the command format when I press submit. When I log into the Router, the exit command now works fine along with all the other commands in the Shell.
Now here is where it starts getting strange and causes problems... If I edit the Shell again and add a new command in, as soon as I press submit I get the same error as before about the "exit" command being in the wrong format. As soon as I go to the exit command and go to the arguments box and add in a
This causes great trouble when I try to enter a second single word command in such as "disable" because I have to use the exact same format i.e:
disable-----permit
But as soon as I submit this, it reports an error about the "exit" command's formatting, if I then fix the "exit" commmand's formatting it reports the error on the "disable" command's formatting and vice versa. These just keeps on happening until I end up deleting commands until I only have one single word command in there such as exit or disable (I dont seem to be able to have more than 1)?
Thanks for your help so far Prem its been very usefull, hopefully we can get the last bit sorted now!
Best Regards,
Ian.
06-07-2007 03:08 AM
Hi Prem,
Just a little more info for you...
If I go back to edit the shell at any stage, I can get the exit and the disable command to work by selecting each of them individually, and then going to the arguments box of each command and entering a
Then when I press submit it accepts the 2 single word commands in the shell and it all works fine on the router.
Unfortunately this has to be done every time I go near the shell set??
So the single command formats are:
exit--------permit
disable-----permit
They will not work without the
All other commands are fine.
Regards,
Ian.
06-07-2007 04:01 AM
Hi Ian,
Sorry, but I was not able to get the same results as you are, I created a Shell Command Authorization Set with following,
disable----permit
enable-----permit
show-------permit running-config
interface--permit Vlan 1
And I added and deleted several commands but it never gave me that error. May be something is corrupt with the Shell Command Authorization Set you have created.
Try deleting it and creating a new one. But before deleting it remove it from the group that is using it.
And see the result. And what is the version of ACS you are using exact version?
Regards,
Prem
06-07-2007 06:43 AM
Hi Prem,
Im afraid I cant get it to work, but thats ok because I can live with the workaround for the timebeing. I see it works fine for you so thats ok. Our ACS Server is in a LAB at the moment and is a downloaded version running on a VMWare Server at present, it is currently
ACS Release 4.0(1) Build 27
We will be getting our full ACS Server software from our partner in a couple of weeks and that will be on a dedicated server not a VM environment, so I would be confident that it should work fine.
I just wasnt sure if it was something we were doing incorectly that wouldnt let the commands work.
But thanks for all your help, it was much appreciated!
Best Regards,
Ian.
06-07-2007 06:55 AM
Your welcome Ian,
Also, ACS 4.0 is not tested on VMWare, that might be causing some issue. But yes 4.1 is tested on a VMWare platform.
Glad to help you on this.
Please mark this thread as resolved, so that others can benefit from it.
Thanks,
Prem
08-12-2008 01:06 PM
are you kidding me, case sensitive. this solves my issue, thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: