topic Cisco ACS 5.2 command set in Network Access Control

Cisco ACS 5.2 command set

santosh.kotkar — Mon, 11 Mar 2019 01:21:25 GMT

In Cisco ACS 5.2 I have two groups.

Group1--Full access group

Group2--Read only group

I would like to block following commands for group 2 which is ready only users. These user group has access only till EXEC mode and they are

able to run all show commands.

show tech-supports

telnet

ssh

rlong

Can anyone help on this please ?

Regards

Santosh Kotkar

Cisco ACS 5.2 command set

Javier Henderson — Wed, 31 Aug 2011 13:58:26 GMT

Create a shell command set authorizing only what you want the users to execute.

In the authorization policy screen click Customize, move "command sets" to the right column, click OK.

Now create an authorization policy that triggers on group membership and assign the shell command set to it.

Cisco ACS 5.2 command set

santosh.kotkar — Thu, 01 Sep 2011 00:42:49 GMT

Hi Javier

I have Level-2 support group and would like to revoke show tech-support, telnet and ssh command access only but its not working, still these user can run these commands.

I have allowed clear counters which is working fine.

I have attached screenshot, is there any idea or I am making any mistake in command set ?

Regards

Santosh

Cisco ACS 5.2 command set

Nicolas Darchis — Thu, 01 Sep 2011 05:46:44 GMT

Please also take a screenshot of the authorization rule that your level 2 support team is matching so we know what you are assigning them

Cisco ACS 5.2 command set

santosh.kotkar — Thu, 01 Sep 2011 06:29:10 GMT

Hi Nicolas

Here are some screenshot of Authorization rule

Thanks

Santosh

Cisco ACS 5.2 command set

Nicolas Darchis — Thu, 01 Sep 2011 06:36:07 GMT

Strange. It looks good.

Maybe you can look on "monitoring and reports"-> aaa catalog-> tacacs authorization, for commands that got authorized to level2 users but that shouldn't have been authorized. If you click on the magnifying glass for details, you should see why ACS authorized.

Cisco ACS 5.2 command set

santosh.kotkar — Thu, 01 Sep 2011 07:09:39 GMT

Authorization is just showing allowed command set

Still not sure what's going on

Following are the logs, just showing allowed but not showing actaul command

Cisco ACS 5.2 command set

Nicolas Darchis — Thu, 01 Sep 2011 07:12:54 GMT

Your first screenshot shows that show run and conf t were denied ...

I don't get what is the problem then ??

Cisco ACS 5.2 command set

santosh.kotkar — Thu, 01 Sep 2011 23:31:38 GMT

"Show run and config t" is already deny for level 2 users, which is correct.

The problem is "show tech-support, telnet and ssh" commands are allowed which we would like to revoke for level 2 users.

In my first screenshot these are the command sets I have created to stop access. Some reason they are still working.

I hope you got my issues. Thanks

Regards

Santosh

Cisco ACS 5.2 command set

santosh.kotkar — Thu, 01 Sep 2011 23:47:08 GMT

Sorry previous screenshot was confusing, this updated/current screenshot

Cisco ACS 5.2 command set

Nicolas Darchis — Fri, 02 Sep 2011 05:26:22 GMT

fair enough. But your passed/failed authentication screenshot does not show a telnet or ssh command that should have been denied but was accepted. That's what we're interested in.

Cisco ACS 5.2 command set

santosh.kotkar — Fri, 02 Sep 2011 06:04:27 GMT

Yes, Authorization logs are not showing all details. just now I have run those commands (telnet, ssh and

show tech-support unprivileged) but its showing status "passed" nothing more details

Cisco ACS 5.2 command set

santosh.kotkar — Tue, 06 Sep 2011 01:48:46 GMT

Any suggestion guys ?

Thanks

Santosh

Cisco ACS 5.2 command set

Nicolas Darchis — Tue, 06 Sep 2011 06:17:27 GMT

No no, you missed something. If the user types "telnet", you should have a passed entry for command "telnet" on ACS and it seems you don't !

That means that the switch never asks ACS to authorize that command or not ...

switch config issue ?