Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2717
Views
0
Helpful
5
Replies

Deny "show run"

kzhen
Level 1
Level 1

ā€Ž04-12-2010 10:52 AM - edited ā€Ž03-10-2019 05:03 PM

I use ACS ver 4.2, and set up the following configuration on the routers.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_auth local enable

aaa authorization config-commands

aaa authorization commands 1 default group tacacs + local

aaa authorization commands 15 default group tacacs + local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Everything works perfect, but I am trying to deny the 'show run' command using ACS command authorization sets. ( See attahment). All other commands are working, but no matter what I do the show run is un-sucessful. In the group, Max privilege for any AAA client set to 'Level 1'. and  Shell (exec) is set to 'Privilege level 1 '. Any ideas?

 

Labels:
0 Helpful
5 Replies 5

kzhen
Level 1
Level 1

ā€Ž04-12-2010 10:59 AM

Missing the attachment file

Preview file
80 KB
0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to kzhen

ā€Ž04-12-2010 02:56 PM

Hi,


Please enable "debug aaa authorization" and "debug tacacs". It seems that device is not checking authorization status from ACS  for "show run" command.

Issue can be due to IOS bug.



Regards,

~JG



Do rate helpful posts

0 Helpful

rodmunch999
Level 1
Level 1

ā€Ž04-18-2010 07:46 PM

I have tried this in a v4.1 ACS and can deny the show run and show clock commands but allow all the other show commands:

The AAA config on the test device (Version 12.2.18 EW2 IOS) is:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Here is the output:

TESTSWITCH01#show clock

Command authorization failed.

TESTSWITCH01#show run

Command authorization failed.

TESTSWITCH01#show calendar

12:13:26 AEST Mon Apr 19 2010

0 Helpful

Javier Henderson
Level 4
Level 4
In response to rodmunch999

ā€Ž04-19-2010 09:34 AM

You cannot use "run", you have to use "running-config" (ie, it has to match what the router sends for authorization)

0 Helpful

rodmunch999
Level 1
Level 1
In response to Javier Henderson

ā€Ž04-19-2010 07:31 PM

Hmmm... well "run" seems to work for "running-config" as well. Here is my test Command Authorization:

Here is the test:

router1#sh run

Command authorization failed.


router1#show running-config

Command authorization failed.


router1#show terminal

Line 167, Location: "", Type: "vt100"

Length: 56 lines, Width: 132 columns...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents