Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
0
Helpful
5
Replies

As I see the "Command denied" in Failed Attempts report

Kevin Morales
Level 1
Level 1

‎11-13-2009 09:52 AM - edited ‎03-10-2019 04:47 PM

Hello.

In Failed Attempts report, under "Author-Failure-Code" I get "Command denied". Is there any way to record the commands that the user wanted to enter?

Thanks!.

Labels:
0 Helpful
5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

‎11-13-2009 10:39 AM

Hi kevin,

What command are you trying to execute?

Do you have accounting enabled on the devices? If yes, then look under the tacacs administration logs and copy the command that is not working.

Looks like the command you are trying to execute is not allowed under the command set.

Configuration example:

======================

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

HTH

JK

Plz rate helpful posts-

~Jatin
0 Helpful

Kevin Morales
Level 1
Level 1
In response to Jatin Katyal

‎11-13-2009 12:27 PM

Thanks for your reply. I Shell Command Authorization Sets configured to only allow commands: show, ping, traceroute.

when a user executes a command that is not possible in the Failed Attempts report log is generated "Command denied", as I know which command the user try to run?

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Kevin Morales

‎11-14-2009 07:34 AM

Kevin,

You should see something like this in the

failed attempts:

Command denied service=shell cmd=interface FastEthernet 0 21

By this we can see that the argument that is being sent by the switch command parser is actually 'FastEthernet 0 21'

So user tried to execute command " interface FastEthernet 0\21.

Regards,

~JG

Do rate helpful post.

0 Helpful

Kevin Morales
Level 1
Level 1
In response to Jagdeep Gambhir

‎11-14-2009 08:39 AM

Thanks for responding.

failed in the report do not show me the Command denied . attached configuration.

I am using

CiscoSecure ACS

Release 4.2(0) Build 124 Patch 13

***Tacacs+ Configuration

aaa new-model

aaa authentication attempts login 1

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server directed-request

tacacs-server key Presharedciscoxx

tacacs-server host 192.168.1.10

ip tacacs source-interface Loopback0

aaa authorization commands 15 default group tacacs+ if-authenticated

Preview file
49 KB
0 Helpful

Kevin Morales
Level 1
Level 1
In response to Kevin Morales

‎11-16-2009 07:01 AM

Greetings.

had an error in the configuration of the report, had not enabled the option Author-Date .. thanks for your help! ..

0 Helpful
Customers Also Viewed These Support Documents