topic Re: Shell Command Authorization Sets ACS in Network Access Control

Shell Command Authorization Sets ACS

Gerson Acevedo — Mon, 11 Mar 2019 01:02:26 GMT

hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

but still all my user can use all the commands

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
tacacs-server host 192.168.20.2 key cisco
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
!
!
end

i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands

heres my share profile

name-------------admin jr

Description---------for jr admin

unmatched commands------- ()permit (x)deny
permint unmatched args()

enable
show -------------------------- permit version<cr>
permit runnig-config<cr>

then i add this profifle to group 2 and then i add my user to the group 2

then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?

can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck

Re: Shell Command Authorization Sets ACS

Nicolas Darchis — Fri, 29 Apr 2011 12:16:48 GMT

ACS 4 or 5 ?

On ACS, do you see authorization logs where the switch tries to ask for authorization for each command typed ?

Re: Shell Command Authorization Sets ACS

Gerson Acevedo — Fri, 29 Apr 2011 12:52:55 GMT

is 4.2 for server 2003

and is a router my device and abouit the logs i am not using accounting in my router yet that was the next step in my configuration but i am stuck here with authorization

Re: Shell Command Authorization Sets ACS

Nicolas Darchis — Fri, 29 Apr 2011 13:19:36 GMT

I didn't say accounting. What do you see in "Tacacs authorization" logs on acs ?

Re: Shell Command Authorization Sets ACS

Gerson Acevedo — Fri, 29 Apr 2011 13:31:10 GMT

excuse i cant find that option in the acs where is it?

Re: Shell Command Authorization Sets ACS

Nicolas Darchis — Fri, 29 Apr 2011 13:36:54 GMT

reports and activity -> Tacacs+ administration

Re: Shell Command Authorization Sets ACS

Gerson Acevedo — Fri, 29 Apr 2011 13:54:57 GMT

its in blank nothin appears neither in the passed authentification log weird but ican log in using the tacacs+ all my users there works

Re: Shell Command Authorization Sets ACS

Vamsi Pinnaka — Sat, 30 Apr 2011 16:59:26 GMT

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.

Correct me if I am wrong."

Regards

Vamsi

Re: Shell Command Authorization Sets ACS

Gerson Acevedo — Mon, 02 May 2011 04:18:39 GMT

solve it it didnt work the first time because i try it with the console after i try this config via telnet (log in) my users cant use all commands just the commands i added to the shell list

this config works