topic Re: Shell Command Authorization in Network Access Control

Shell Command Authorization

admin_2 — Sun, 10 Mar 2019 23:40:20 GMT

Recently, a couple of our help desk people were asking for access to some of our branch network equipment so that they can look at interface counters, etc. for troubleshooting without escalating to the engineers. I agreed that it would be okay to give access to commands such as, Â“show ip interface briefÂ”, Â“show interfaceÂ”, and Â“clear countersÂ”. I want to deny commands such as Â“show running-configÂ” and Â“configureÂ”.

I have setup shell command authorization in every possible way (user level, group level, creating shell command authorization sets, per NDG etc.) and I cannot get them to work. I have read through many docs on CiscoÂ’s website and IÂ’m still unable to get this to work. I suspect there may be some AAA settings on the devices that may be overriding the ACS settings, but IÂ’m not sure. IÂ’m relatively new at configuring ACS and IÂ’ve run out of ideas. Any suggestions?

Re: Shell Command Authorization

Leo Laohoo — Wed, 02 Sep 2009 22:13:41 GMT

Something more simpler.

Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1170533

Re: Shell Command Authorization

nsn-amagruder — Thu, 03 Sep 2009 01:29:54 GMT

Look at the authentication/authorization logs in the ACS and it will give you a better idea of what the issues is. You are definently on the right track. Per Group Level is the best idea. Not sure if you are mapping back to an AD Group or using seperate ID's on the ACS.

The other option is to give them access to a network management system that will show them the current status of the device, errors in the last 5 minutes through the last x days,months, years, events, snmp traps etc.

Solarwinds is a good product for this.

Let us know what the ACS logs show, what shell commands you have set, NDG, Shared Resources and group settings you have set.

Aaron Magruder

NonStop Networks, LLC

http://www.nonstopnetworks.net

Re: Shell Command Authorization

Thu, 03 Sep 2009 11:26:41 GMT

The TACACS+ Accounting log shows me the date & time my test account authenticated, what group it belongs to, from what IP, the session starting & stopping, & the elapsed time. The TACACS+ Administration log show what commands were issued. What other logs do you suggest I look at?

They do have access to solarwinds for monitoring and this does provide a wealth of information.

I am going to start from scratch - new router with a blank config, new ACS group and test user.

Thanks for your help!

Re: Shell Command Authorization

nsn-amagruder — Thu, 03 Sep 2009 11:37:33 GMT

I'm not sure if the login or commands were failing at the network device. May it fail, then check the failed attempts log. This log usually points directly to the issue.

Re: Shell Command Authorization

Thu, 03 Sep 2009 12:12:32 GMT

Thanks! The problem is I am unable to restrict specific commands using the shell command authorization. The test account can authenticate, enter privileged mode and run all commands. No matter how I setup shell command authorization, I cannot get it to deny any commands.

Re: Shell Command Authorization

nsn-amagruder — Thu, 03 Sep 2009 12:43:14 GMT

Gotcha...Under the Group, what shell privilege level is check or entered under the shell section? I believe you can also set the shell command sets in this section. Set the privelege level to 1. I don't have access to one at the moment, but I believe their is a drop down menue and a place to check a box privilege level and type 1.

In the passed authentication log, are the users getting mapped to the group you are setting the rights on?

Try setting the command authorization to none just to verify that the group can no longer do anything.

To prevent the application of any shell command-authorization set, select (or accept the default of) the None option.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/g.html#wp480029

command sets

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wp697557

Re: Shell Command Authorization

Thu, 03 Sep 2009 19:01:39 GMT

privilege is 1

I've checked the authentication logs, and my test user is getting mapped to the correct group.

I changed the shell command authorization to "none" and it still allowed me to issue commands. There has to be something else that is over riding this. I just can't find it yet.