Allow some show commands in AAA Authorization Set

Erik — Mon, 11 Mar 2019 03:34:25 GMT

I'm working on creating AAA authorization sets for our environment and ran into a question!

I'd like to be able to enable ALL show commands except 'show run'. I would also like to enable 'show run interface'. I've figured out how to enable all show commands and disable show run. The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable. Even if I try to explicitly enable it.

Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?

ACS Version 4.1.

Command set is configured:

Allow some show commands in AAA Authorization Set

Jatin Katyal — Fri, 21 Jun 2013 17:53:20 GMT

try to use deny running-config

In case it doesn't work, please get the "debug aaa authorization" and "debug tacacs"

what is your IOS side config?

Jatin Katyal
- Do rate helpful posts -

Allow some show commands in AAA Authorization Set

Erik — Fri, 21 Jun 2013 18:12:52 GMT

Changing it to 'deny running-config' does the exact same thing. It looks like it's seeing the 'show running-config' then stoping on that before anything else. I've tried adding 'permit run interface' in ACS and same thing. Other AAA Authorization set commands work just fine.

On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.

aaa group server tacacs+ SHS

server 10.10.11.200

aaa authentication login verifyme group TACACS+ local

aaa authorization config-commands

aaa authorization exec verifyme group TACACS+ local

aaa authorization commands 0 default group TACACS+

aaa authorization commands 1 default group TACACS+

aaa authorization commands 15 default group TACACS+

aaa accounting send stop-record authentication failure

aaa accounting exec verifyme start-stop group TACACS+

aaa accounting commands 15 default start-stop group TACACS+

aaa accounting network verifyme start-stop group TACACS+

aaa accounting system default start-stop group TACACS+

aaa session-id common

Debugs!

Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1

Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD

Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=

Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.

Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5

Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14

Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued

Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed

Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL

Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49

Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL

Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

Allow some show commands in AAA Authorization Set

harvisin — Mon, 01 Jul 2013 03:30:34 GMT

Hello,

try out the following it will work definnately:-

permit run interface

deny all run

please apply in the particular order only....

Allow some show commands in AAA Authorization Set

Erik — Thu, 04 Jul 2013 15:43:38 GMT

I tried setting it up this way, same issue. If I set it up that way and test it, the interfaces still will not show (nor will anything else).

SGAVEJ01#show run

Command authorization failed.

SGAVEJ01#sh run interface gi0/1

Command authorization failed.

topic Allow some show commands in AAA Authorization Set in Network Access Control

Allow some show commands in AAA Authorization Set

Allow some show commands in AAA Authorization Set

Allow some show commands in AAA Authorization Set

Allow some show commands in AAA Authorization Set

Allow some show commands in AAA Authorization Set