topic Re: ACS 5.2 commands Authorization in Network Access Control

ACS 5.2 commands Authorization

Dmitry Samko — Mon, 11 Mar 2019 01:04:30 GMT

Greetings!

Have a conceptual question bout CLI command authorization. We have ASC 5.2 up and running, providing AAA services for network devices. Now I need to make profiles for users in certain group to restrict dem CLI "rights" to show, clear counters and show running-config commands. Could you please provide me link to some workflow I need to accomplish dis task. For example:

I should clrete separate privillege levele profile (let it be 2), specify commands at this level, assign Group this Authorization Prifile and make some additional changes in my devices (I meen "aaa authorization...." commands). Appreciate any link to documentation or live examples. Give Thanks!

Jah Rastafari bless & protect you I

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Wed, 11 May 2011 04:52:02 GMT

You can simply do the following :

-On acs, define a shell profile and a command set for each of the different scenarios you have, allowing different commands.

-On acs still, in the authorization menu of your access policy (by default, it will go to "default device admin" normally), hit "customize" and chose that you want to assign both a command set and shell profile in the result.

-Create an authorization rule (if user group =x or y, then I assign this command set and shell profile)

You're good to go !

For any details on the above, I simply suggest the ACS user guide

Re: ACS 5.2 commands Authorization

Dmitry Samko — Wed, 11 May 2011 07:47:27 GMT

Nicolas, what AAA config commands should I use in advanced in network devices?

Thank you man.

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Wed, 11 May 2011 09:23:32 GMT

Well it depends on what device it is and what ios version it's running and if you do tacacs or radius ....

usually aaa authorization commands 1 ... aaa authorization commands 15 and aaa authorization enable ...

Re: ACS 5.2 commands Authorization

Dmitry Samko — Thu, 12 May 2011 08:54:55 GMT

Allright, look now. There are 6 screenShots. Let's see my steps below.

Shot1 - I create "Shell Profile", named Enable 2.

Shot2 - create "Commands Sets" named Allow Show RunnConfig. For simplicity there is only "Allow show *"

Shot3 - create "Default Device Admin -> Authorization" policy named Network-3. I assign Shell profile there. Seems, this step is unnecessary, but just fi sure.

Shot4 - create "Device Administration -> Authorization" policy named IT Noc. I assign Shell and Command profiles there

When the user from target AD grop try to vty login to the network device authentication successed. But Authorization is failed, none of typed command is authorized. Here is the log from "Monitoring and Report" TACACS+ Authorization. Target username is "rk########"

Shot5 - General log

Shot6 - Detailed log record. As you can see, "Matched Command Set" is empty (!!!) fi dis user, but "Selected Command Set" is Allow Show RunnConfig (OK); "Autherization Policy Matched Rule" is IT Noc (OK).

What's the problem.

In addition, here is aaa commands from Cisco L3 Switch.

aaa authorization config-commands
aaa authorization exec default group ACS local
aaa authorization commands 0 default group ACS local
aaa authorization commands 1 default group ACS local
aaa authorization commands 2 default group ACS
aaa authorization commands 15 default group ACS local

Please, have a look!

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Thu, 12 May 2011 09:06:45 GMT

your 5th screenshot shows that "Show running-config" was authorized by ACS. That's expected.

The 6th screenshot shows the command "exit" that was not authorized. Which is normal since your command set only allows "show *".

So I don't see what the problem is 🙂

Re: ACS 5.2 commands Authorization

Dmitry Samko — Thu, 12 May 2011 11:30:03 GMT

Problem is that ACS doesn't authorize (I meen allow) any command. No show run, nor show interfaces neither show priv etc. Do you get me?

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Thu, 12 May 2011 11:45:57 GMT

I see a "show running-config" in green, so it looked authorized.

If so, please provide a screenshot of a "show' command that was supposed to be authorized and wasn't.

Re: ACS 5.2 commands Authorization

Dmitry Samko — Thu, 12 May 2011 11:58:29 GMT

No man, this is for another user in another group, foget about it. As I mention befor, interesting user is rk#####. So, please concentrate around the Shot6 - it's detailded problem description. The screeen is about exit command, but be sure that there is the same error about show priv command.

Do you understand my goal? I just wanna creatre profiles for NOC team with only show * commands (show config also). Of cource there should be allowed such commands as exit. Do you heve hands-on experience with dis kind of situation?

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Thu, 12 May 2011 12:02:55 GMT

I perfeclty understand what you are trying to achieve. But you don't seem to understand my point.

You say that ACS denies "show" commands when it should authorize them. Fine, I believe. But show us a screenshot.

The 6th screenshot you sent is for the command "Exit" where ACS was correct in denying it !

So how can people help if you show them screenshots of something that is expected, while the unexpected behavior is not seen on screenshots.

I'd like to see the reason why ACS rejects your show commands, but if you don't show that, I'm not sure how can people help you ...

My experience with "this kind of solution" is 4 years supporting ACS in TAC, so I think I have it covered.

Re: ACS 5.2 commands Authorization

Dmitry Samko — Thu, 12 May 2011 14:33:39 GMT

Well, excuse if I seems you rude. 4 years in cisco TAC you should be cool, no doubt.

There are my troubleShots.

Thank you for help!

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Sat, 14 May 2011 17:09:38 GMT

Just tested it in my lab.

The trick is that to allow all show commands, your command set should permit "Show" and no argument mentionned.

What you permitted is "show *" which doesn't exist. the * is not a wildcard in the command set. "any argument" is achieved by leaving the argument field blank.

Regards,

Nicolas

Re: ACS 5.2 commands Authorization

Dmitry Samko — Mon, 16 May 2011 08:31:52 GMT

Very nice, Thank you man.

The next question is what should I write in "Command Sets" section to authorize such commands as:

show running-config

clear counters

clear access-list counters

I have tried both cases: clear as a command and counters as an argument and clear counters as a single command. None of it works. And what about show running-config, I can't make it work.

Thank you in advanced.

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Mon, 16 May 2011 12:35:13 GMT

???

If you permit "show" with no arguments, that means that "Show running-config" is already allowed implicitly. So not sure why you're adding that one too ??

I did a test command set where I just allowed command "show" with arguments "running-config" and I could do a show run on the switch but a show start was forbidden for example.

So all working as explained above

Re: ACS 5.2 commands Authorization

Dmitry Samko — Mon, 16 May 2011 12:54:07 GMT

To be clear, I use command sets just like in shot10, but it doesn't works for show running. Moreover, when I type

# show running-config

on switch CLI it says - Invalid command and there are no attempts to authorize it on ACS - I don't see this commands in AAA Tacacs Authorization logs. But I can see successfull authorized commands such as show priv or telnet in logs. What it could be?

I remind you that I use Prive Level = 2.

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Mon, 16 May 2011 13:05:31 GMT

then show run is not available at privilege level 2 ?

This goes too detailed on the switch for me to give assured advices. But if the request is not coming to ACS, don't bother wondering about yoru command set, check the switch itself

Re: ACS 5.2 commands Authorization

Dmitry Samko — Mon, 16 May 2011 13:10:45 GMT

Allright, so could you please tell me what minimal Priv Level allow show running-config?

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Mon, 16 May 2011 13:15:42 GMT

My sentence "This goes too detailed on the switch for me to give assured advices" was a kind way of saying "I don't know, don't ask me"

Re: ACS 5.2 commands Authorization

Alejandro Ruiz — Tue, 17 May 2011 02:40:29 GMT

Sorry everyone for interrupting this thread in this way.

I created the thread "Cisco ACS 5.2 and Role-base CLI views", but no one has replied in regards to the problem that am having.

As the thread on this topic seems similar to the topic on my thread,I believe that someone may have the knowledge to give me some directions.

Thanks in advance, and I apologize again for this interruption.

Alejandro.

Re: ACS 5.2 commands Authorization

Nicolas Darchis — Tue, 17 May 2011 05:43:35 GMT

Alejandro, I don't think there is any role or privilege or command authorization for ACS cli user.