topic Re: ACS 4.2 Command Authorization in Network Access Control

ACS 4.2 Command Authorization

Jon Eyes — Mon, 11 Mar 2019 02:18:23 GMT

Hi Everyone,

This is my first post. And im not quite sure if this is the right place so here it is

I have several cisco devices and i want my colleauges to have a limited access to it wherein they're only allowed specific commands. So I put up an ACS 4.2 in place with user authenticated against active directory accounts.

Im done with the authentication part, and its perfectly working (i guess). I create three user group where i can attached a comman authorization sets

Shell command autorization sets

GROUP-80

Allow commands (the rest are deny)

show *

enable *

configure *

end *

exit *

GROUP-90

Deny commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

GROUP-100

Allow all

IOS Configuration

aaa new-model

aaa authentication login default local

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

aaa session-id common

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

tacacs-server host 172.16.8.115 single-connection

tacacs-server host 172.16.8.112 single-connection

tacacs-server key 7 0300520C0F1B204F4F0A0A54

line vty 0 4

access-class 50 in

privilege level 15

authorization exec THOR1

transport input ssh

Re: ACS 4.2 Command Authorization

Amjad Abdullah — Mon, 16 Jul 2012 11:24:11 GMT

What is you question?

Sent from Cisco Technical Support iPad App

Re: ACS 4.2 Command Authorization

Jon Eyes — Mon, 16 Jul 2012 11:55:11 GMT

ow im sorry.. i forgot

how would i accomplish these via acs?

three groups. group 100, 90 and 80

group 100 - allow all commands

group 90 - allow all except these below commands ( * - any arguments) including all group-80 commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

group 80 - allow only below commands

show *

enable *

configure *

end

exit

In my initial post is the IOS configuration of my routers/switches. Attached the group-90 shell command authorization set from ACS

Eventhough the user is at group-90, all of the commands are still being accepted by the device

Here's the debug from the console while I successfully login using a group-90 user account and typed "no tacacs-server...". Im expecting my commands will not be permitted but i was still able to execute it

Jul 16 11:49:59.502: %SSH-5-SSH2_USERAUTH: User 'sdesk' authentication for SSH2 Session from 172.16.11.225 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

Jul 16 11:49:59.510: TPLUS: Queuing AAA Authorization request 16475 for processing

Jul 16 11:49:59.510: TPLUS: processing authorization request id 16475

Jul 16 11:49:59.510: TPLUS: Protocol set to None .....Skipping

Jul 16 11:49:59.510: TPLUS: Sending AV service=shell

Jul 16 11:49:59.510: TPLUS: Sending AV cmd*

Jul 16 11:49:59.510: TPLUS: Authorization request created for 16475(sdesk)

Jul 16 11:49:59.510: TPLUS: using previously set server 172.16.8.115 from group tacacs+

Jul 16 11:49:59.510: TPLUS(0000405B)/0/IDLE/662A3E14: got immediate connect on new 0

Jul 16 11:49:59.510: TPLUS(0000405B)/0/WRITE/662A3E14: Started 5 sec timeout

Jul 16 11:49:59.514: TPLUS(0000405B)/0/WRITE: wrote entire 63 bytes request

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 12 header bytes (expect 6 bytes)

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 18 bytes response

Jul 16 11:49:59.994: TPLUS(0000405B)/0/662A3E14: Processing the reply packet

Jul 16 11:49:59.994: TPLUS: received authorization response for 16475: PASS

It'll be greatly appreciated if you could help me figure this out

Thanks in advance...

Re: ACS 4.2 Command Authorization

Amjad Abdullah — Mon, 16 Jul 2012 13:01:19 GMT

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Re: ACS 4.2 Command Authorization

Jon Eyes — Thu, 30 Aug 2012 04:17:23 GMT

Thanks Abdullah for the link

But it took me quite a while before i could correctly figure the sets of commands

Really appreciate your help

And for those of you who have the same case, here's a quick template you that you can follow