Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using ACS to deny show tech-support

I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Using ACS to deny show tech-support

Do you have these authorization commands configured?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1 key cisco123

Debug aaa author should display:

AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'

AAA/AUTHOR/CMD (2846421758): send AV service=shell

AAA/AUTHOR/CMD (2846421758): send AV cmd=show

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=

AAA/AUTHOR/CMD (2846421758): found list "default"

AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2846421758): user=switchuser

AAA/AUTHOR/TAC+: (2846421758): send AV service=shell

AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=

TAC+: Using default tacacs server-group "tacacs+" list.

TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5

TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49

TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued

TAC+: (2846421758) AUTHOR/START processed

TAC+: (-1448545538): received author response status = FAIL

Make sure to modify the original ACS Shell Command Authorization...

deny tech-support instead of deny tech.

12 REPLIES

Re: Using ACS to deny show tech-support

Does it fail too if you complete the argument?

command=show

argument=tech-support

Re: Using ACS to deny show tech-support

Do you see any hits on acs failed attempts when show tech command fails?

Also check debug aaa authorization output and see if the device is sending show tech to ACS for authorization. It could be due to bug where in some commands are not sent to tacacs server for authorization check.

Regards,

~JG

Do rate helpful posts

New Member

Re: Using ACS to deny show tech-support

JG,

No hits on the failed attempts.

There is no output from the debug when issuing the show tech. However check out the attached xls which shows the actual commands that are being sent after issuing the show tech.

If I issue those commands separately (see attached notepad) they are in fact denied.

So this looks like a bug.

Regards

Bronze

Re: Using ACS to deny show tech-support

Do you have these authorization commands configured?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 10.1.1.1 key cisco123

Debug aaa author should display:

AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'

AAA/AUTHOR/CMD (2846421758): send AV service=shell

AAA/AUTHOR/CMD (2846421758): send AV cmd=show

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=

AAA/AUTHOR/CMD (2846421758): found list "default"

AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2846421758): user=switchuser

AAA/AUTHOR/TAC+: (2846421758): send AV service=shell

AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support

AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=

TAC+: Using default tacacs server-group "tacacs+" list.

TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5

TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49

TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued

TAC+: (2846421758) AUTHOR/START processed

TAC+: (-1448545538): received author response status = FAIL

Make sure to modify the original ACS Shell Command Authorization...

deny tech-support instead of deny tech.

New Member

Re: Using ACS to deny show tech-support

BINGO!!! That was it. Thanks ansalaza.

I had the following commands:

aaa authorization exec default group TACACS_ADMIN local if-authenticated

aaa authorization commands 15 default group TACACS_ADMIN if-authenticated

but not

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

Can you elaborate a little more on what those commands do and also what do I need the if-authenticated keyword, I still am not quite sure what exactly that does or if it is needed.

Thanks again.

Re: Using ACS to deny show tech-support

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.

Regards,

~JG

New Member

Re: Using ACS to deny show tech-support

So are you saying that the if-authenticated keyword essentially bypasses command authorization and as long as a user is able to authenticate they can use all commands?

Re: Using ACS to deny show tech-support

No, it provides extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.

New Member

Re: Using ACS to deny show tech-support

jg -

I am testing and I think you have it wrong. What I find is that if the TACACS server becomes unavailable an authenticated user has access to any commands. See for yourself.

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Port='tty1' list='' service=CMD

02:16:01: AAA/AUTHOR/CMD: tty1 (3085690506) user='temp'

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV service=shell

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd=show

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=running-config

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): found list "default"

02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Method=TACACS_ADMIN (tacacs+)

02:16:01: AAA/AUTHOR/TAC+: (3085690506): user=temp

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV service=shell

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd=show

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=running-config

02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=

02:16:11: AAA/AUTHOR (3085690506): Post authorization status = ERROR

02:16:11: tty1 AAA/AUTHOR/CMD (3085690506): Method=IF_AUTHEN

02:16:11: AAA/AUTHOR (3085690506): Post authorization status = PASS_ADD

Re: Using ACS to deny show tech-support

Yes, you are correct. I messed up here. If we use "if-authenticated" the user would be allowed to access the requested function provided the user has been authenticated successfully.

Sorry for the confusion here and thanks for correcting me.

Regards,

~JG

Bronze

Re: Using ACS to deny show tech-support

There are three default command levels in IOS: 0, 1, and 15.

I beleive that "show tech-support" is not a level 15 command.

Check this Document ID: 13860 for a better explanation.

Hope this helps...

Re: Using ACS to deny show tech-support

So it seems that the device is not sending show tech command to ACS for authorization check.

Show tech is not listed in tacacs admin logs and nor in debugs aaa authorization.

Most likely a bug in IOS.

Regards,

~JG

Do rate helpful posts

397
Views
5
Helpful
12
Replies