11-13-2009 09:52 AM - edited 03-10-2019 04:47 PM
Hello.
In Failed Attempts report, under "Author-Failure-Code" I get "Command denied". Is there any way to record the commands that the user wanted to enter?
Thanks!.
11-13-2009 10:39 AM
Hi kevin,
What command are you trying to execute?
Do you have accounting enabled on the devices? If yes, then look under the tacacs administration logs and copy the command that is not working.
Looks like the command you are trying to execute is not allowed under the command set.
Configuration example:
======================
HTH
JK
Plz rate helpful posts-
11-13-2009 12:27 PM
Thanks for your reply. I Shell Command Authorization Sets configured to only allow commands: show, ping, traceroute.
when a user executes a command that is not possible in the Failed Attempts report log is generated "Command denied", as I know which command the user try to run?
11-14-2009 07:34 AM
Kevin,
You should see something like this in the
failed attempts:
Command denied service=shell cmd=interface FastEthernet 0 21
By this we can see that the argument that is being sent by the switch command parser is actually 'FastEthernet 0 21'
So user tried to execute command " interface FastEthernet 0\21.
Regards,
~JG
Do rate helpful post.
11-14-2009 08:39 AM
Thanks for responding.
failed in the report do not show me the Command denied . attached configuration.
I am using
CiscoSecure ACS
Release 4.2(0) Build 124 Patch 13
***Tacacs+ Configuration
aaa new-model
aaa authentication attempts login 1
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server directed-request
tacacs-server key Presharedciscoxx
tacacs-server host 192.168.1.10
ip tacacs source-interface Loopback0
aaa authorization commands 15 default group tacacs+ if-authenticated
11-16-2009 07:01 AM
Greetings.
had an error in the configuration of the report, had not enabled the option Author-Date .. thanks for your help! ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide