Recently, a couple of our help desk people were asking for access to some of our branch network equipment so that they can look at interface counters, etc. for troubleshooting without escalating to the engineers. I agreed that it would be okay to give access to commands such as, Âshow ip interface briefÂ, Âshow interfaceÂ, and Âclear countersÂ. I want to deny commands such as Âshow running-configÂ and ÂconfigureÂ.
I have setup shell command authorization in every possible way (user level, group level, creating shell command authorization sets, per NDG etc.) and I cannot get them to work. I have read through many docs on CiscoÂs website and IÂm still unable to get this to work. I suspect there may be some AAA settings on the devices that may be overriding the ACS settings, but IÂm not sure. IÂm relatively new at configuring ACS and IÂve run out of ideas. Any suggestions?
Look at the authentication/authorization logs in the ACS and it will give you a better idea of what the issues is. You are definently on the right track. Per Group Level is the best idea. Not sure if you are mapping back to an AD Group or using seperate ID's on the ACS.
The other option is to give them access to a network management system that will show them the current status of the device, errors in the last 5 minutes through the last x days,months, years, events, snmp traps etc.
Solarwinds is a good product for this.
Let us know what the ACS logs show, what shell commands you have set, NDG, Shared Resources and group settings you have set.
The TACACS+ Accounting log shows me the date & time my test account authenticated, what group it belongs to, from what IP, the session starting & stopping, & the elapsed time. The TACACS+ Administration log show what commands were issued. What other logs do you suggest I look at?
They do have access to solarwinds for monitoring and this does provide a wealth of information.
I am going to start from scratch - new router with a blank config, new ACS group and test user.
Thanks! The problem is I am unable to restrict specific commands using the shell command authorization. The test account can authenticate, enter privileged mode and run all commands. No matter how I setup shell command authorization, I cannot get it to deny any commands.
Gotcha...Under the Group, what shell privilege level is check or entered under the shell section? I believe you can also set the shell command sets in this section. Set the privelege level to 1. I don't have access to one at the moment, but I believe their is a drop down menue and a place to check a box privilege level and type 1.
In the passed authentication log, are the users getting mapped to the group you are setting the rights on?
Try setting the command authorization to none just to verify that the group can no longer do anything.
To prevent the application of any shell command-authorization set, select (or accept the default of) the None option.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...