ACS 4.0 command authorization set

g3battiston · ‎09-10-2006

Hi

i want to deny the command "clear ip route *" only but not the other command like "clear ip route 1.1.1.1" how do we do it ?

It seem that ACS don't take the asterisk !!

thanks

andrew.burns · ‎09-11-2006

Hi,

I suspect you may have tried to enter "clear ip route *" all at once and then hit "add command", which won't work.

Make sure you only have a single word in the box when you enter "add command". After that, enter "permit ip route *" in the right-hand box when clear is highlighted.

HTH

Andrew.

g3battiston · ‎09-11-2006

hi andrew

i have following:

Unmatched Commands: permit

add command: clear

permit unmatched arg:crossed

argument: deny ip route *

it seem that acs don't take the asterisk

andrew.burns · ‎09-11-2006

Hi,

Just tried it - works ok my on my test acs box. Your description looks good - so might be worth creating a new command authorisation set.

Do you get an error message?

Andrew.

g3battiston · ‎09-11-2006

hi,

same result, can you do a clear ip route x.x.x.x ?

my goal is just to deny the clear all route but you should be able to deny a specific route.

With this setting it deny all commande after the route word.

andrew.burns · ‎09-11-2006

Hi,

What error message are you actually getting? Is it a pop-up one, or does a specific error appear in the GUI?

Andrew.

g3battiston · ‎09-11-2006

hi

i dont have any error message on ACS.

it symply deny both command

clear ip route *

clear ip route x.x.x.x

gregor

andrew.burns · ‎09-11-2006

Hi,

Do you see anything in the ACS logs, especially the "failed attempts" log file?

Andrew.

g3battiston · ‎09-12-2006

Hi,

yes in this file it say

Command denied service=shell cmd=clear ip route 138.187.250.36

our your system when you specifie this command can you do the specific clear ip route 1.1.1.1 ?

regards

gregor