topic Re: acs 5.2 command sets permit all commands except... in Network Access Control

acs 5.2 command sets permit all commands except...

eugene.tsuno — Mon, 11 Mar 2019 00:53:08 GMT

I have everything working on a new 5.2 ACS but:

I can only make a command set that permits things and denies all.

I thought with the check box " Permit any command that is not in the table below" one

could allow all and specifically deny commands.

I could add for instance:

Check " Permit any command that is not in the table below"

deny conf

deny set

and that would allow the user to do all commands except for conf and set. But it

doesn't seem to adminstratively block it, it allows them to still "conf" for instance.

Yet if I :

Uncheck " Permit any command that is not in the table below"

and say

permit show

permit exit

...

Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.

I know I am in the right command set because the changes I make are reflected immediately.

Can someone test the "Permit any command that is not in the table below' and tell me if it works? I can

make it work with the unchecked box, sure, but it would be nice to get it to work.

Re: acs 5.2 command sets permit all commands except...

Yudong Wu — Mon, 07 Mar 2011 05:33:29 GMT

If it is command in config mode, you might need to enable "authorization config-commands" on your Cisco router/switch.

If I remember correctly, this command is disabled by default, so the command in config mode won't be sent to ACS for authorization.

Re: acs 5.2 command sets permit all commands except...

eugene.tsuno — Mon, 07 Mar 2011 18:46:58 GMT

The example says I should be able to put that at the end. However when I paste it

in, it always goes to the top:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 groups group tacacs+ none

I don't know if that is the problem, but right now it exhibits the same

behaviour, that the table should be allowing things which should be

blocked.

Is the a trick to get it to go after "aaa authorization commands" or does it matter?

Re: acs 5.2 command sets permit all commands except...

eugene.tsuno — Tue, 08 Mar 2011 16:52:39 GMT

Okay figured it out.

I was using the short name like "conf" for configure. Except the parser obviously wants

the whole name "configure", because that is what is returned back in tacacs.

That makes sense, although a note in the docs say how the commands are matched or

if regular expressions can be used would be nice.