topic Authorization in ACS 5.2 in Network Access Control

Authorization in ACS 5.2

marcelnjkoks — Mon, 11 Mar 2019 01:13:05 GMT

In ACS 5.2, when i add custom a shell profile to a rule in an authorization policy (used in a TACAS access service) it seems to be skipped.

I can see the rule is hit because the hitcount number increases (it hits because of the group id), and when i set the shell profile to deny access (as test), access is actually rejected. So i know the rule is hit, but anything i put in my custom shell profile at the common tasks tab (like an auto command or default/maximum privilege level) is not used.

The same goes for commands sets. When i add the set 'deny all commands' the user is still able to exceute all commands, although the rule is hit based on the group ID the user belongs to.

I must be doing something wrong, but i can't find my mistake.

Authorization in ACS 5.2

Nicolas Darchis — Tue, 12 Jul 2011 19:49:19 GMT

Well indeed, you must be doing something wrong 🙂

Can you post a few screenshots of your authorization rules, shell profiles and so on so that we can comment ?

Authorization in ACS 5.2

edwardwaithaka — Tue, 12 Jul 2011 22:59:40 GMT

Hi Nic,

I am also facing the same challenge. When I check the "AAA Protocol -> Tacacs Authorization" in Monitoring & Reports, I dont see any logs/reports but the hit counter keeps on incrementing.

Re: Authorization in ACS 5.2

marcelnjkoks — Wed, 13 Jul 2011 06:20:44 GMT

@ Edward; Same here, no authorization logging.

@ Nicolas; thanks for picking this up.

First of all, these are my AAA lines in the test 2901, running IOS 15.0.

aaa authentication login ACS-TAC group tacacs+ local

aaa authorization exec ACS-TAC group tacacs+ local

aaa authorization commands 0 ACS-TAC group tacacs+ local

aaa authorization commands 1 ACS-TAC group tacacs+ local

aaa authorization commands 15 ACS-TAC group tacacs+ local

I created a new Access service, of which the Identity part is working fine.

These rules are in the authorization policy:

This is rule1:

This is the Shell profile, just for test:

The command set is easy, denyallcommands. I want to add a specific command set for our service desk, but not before i can get it to work.

When i change the Shell profile of rule1 to DenyAccess i am not able to logon with the service desk account, so it looks like the authorization rule is actually used.

Re: Authorization in ACS 5.2

Nicolas Darchis — Wed, 13 Jul 2011 07:16:34 GMT

2 things cross my mind.

1) Have you tried assigning "permit access" AND AEAdmin as shell profiles ?

2) I have seen already the ACS config manager process hang. So all was working except that new config changes were not applied. Try to reboot your ACS to see if it changes something.

Re: Authorization in ACS 5.2

marcelnjkoks — Wed, 13 Jul 2011 08:00:17 GMT

Hi Nicolas:

Nicolas Darchis wrote:

2 things cross my mind.

1) Have you tried assigning "permit access" AND AEAdmin as shell profiles ?

2) I have seen already the ACS config manager process hang. So all was working except that new config changes were not applied. Try to reboot your ACS to see if it changes something.

1: Can't do that. Can select only 1 shell profile at a time.

2: Just did because i had to adjust clock timezone settings.

Re: Authorization in ACS 5.2

Nicolas Darchis — Wed, 13 Jul 2011 08:22:37 GMT

1) My bad. I confused with "authorization profile" which you can stack.

Then I don't know, it's very strange.

I would advise a TAC case if you can to look at this closer

Re: Authorization in ACS 5.2

marcelnjkoks — Wed, 13 Jul 2011 08:24:20 GMT

Ok, so it should work the way i have it setup now?

Re: Authorization in ACS 5.2

edwardwaithaka — Wed, 13 Jul 2011 11:04:19 GMT

Hi Marc,

What version are you running? 5.2.0.26.x?

I wanted to try and upgrade to the latest patch to see if it is a bug issue but I dont have access to the patches. Do you have the latest patch i.e. x = 5?

Maybe you can try that then tell me if it works. Also, if you contact TAC, kindly give me the input so that I ca see if I can resolve my issue also.

Authorization in ACS 5.2

marcelnjkoks — Wed, 13 Jul 2011 11:16:05 GMT

Yep, 5.2.0.26.

So probably not the latest patch. Should have access to it...

Authorization in ACS 5.2

marcelnjkoks — Wed, 13 Jul 2011 11:48:02 GMT

Hmm, patch won't install:

NLAMS03-ACS01/admin# acs patch install 5-2-0-26-5.tar.gpg repository Updates

chmod: cannot access `*.sh': No such file or directory

Invalid patch '5-2-0-26-5.tar.gpg' - missing install.sh

% Error: Failure to open / validate the patch

It downloads the patch from my TFTP server, but it fails during install.

Authorization in ACS 5.2

edwardwaithaka — Wed, 13 Jul 2011 14:54:06 GMT

Hi Marc,

Rename the file to

5-2-0-26-5.tar.tar and try to unzip it.

In short, play around with the file name.

Authorization in ACS 5.2

marcelnjkoks — Thu, 14 Jul 2011 07:30:48 GMT

Tried that, but it seems it expects the default filename:

NLAMS03-ACS01/admin# acs patch install 5-2-0-26-5.tar.tar repository Updates

Cannot find patch file '5-2-0-26-5.tar.gpg'

% Error: Failure to open / validate the patch

The ACS did download the patch from my TFTP server, but after that this message appeared.

Authorization in ACS 5.2

marcelnjkoks — Thu, 14 Jul 2011 08:20:45 GMT

Found the issue;

TFTP is not supported for upgrading ACS. It's in the documentation as well:

tftp:

Source or destination URL for a TFTP network server. Use url tftp://server/path1.

Note You cannot use a TFTP repository for performing ACS upgrade.

Used FTP and it works...

Authorization in ACS 5.2

marcelnjkoks — Mon, 18 Jul 2011 10:28:01 GMT

Working with supplier support now to get the authorization issue resolved.

Authorization in ACS 5.2

edwardwaithaka — Mon, 18 Jul 2011 11:11:16 GMT

Hi Marc,

I resolved my issue. Apparently it was an issue with my AAA configs on the router/switch side.

It is now working perfect.

Please send me the version 5 patch in the meantime.

My configs are as below;

aaa new-model
!
!
aaa group server tacacs+ AAA_CLUSTER
server x.x.1.6
server x.x.1.7
!
aaa authentication login AUTH_E group AAA_CLUSTER local
aaa authorization console
aaa authorization exec default group AAA_CLUSTER none
aaa authorization commands 0 default group AAA_CLUSTER local
aaa authorization commands 15 default group AAA_CLUSTER local

ip tacacs source-interface Loopback100
tacacs-server host x.x.1.6 key MyKey
tacacs-server host x.x.1.7 key MyKey

line con 0
exec-timeout 0 0
logging synchronous
login authentication AUTH_E
line aux 0
line vty 0 4
login authentication AUTH_E
line vty 5 15
login authentication AUTH_E
!

Authorization in ACS 5.2

marcelnjkoks — Mon, 08 Aug 2011 13:49:47 GMT

Got it to work today.

Apparently i had to put my authorization command on the VTY as well.

Looks a little strange, but it works.