https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142944#M436051 <P>I ran into this issue with both ACS 3.1 and ACS 3.2</P><P></P><P>A shell command authorization set is created under the shared profile components with the following settings:</P><P></P><P>Unmatched Commands: deny</P><P>Permit Unmatched Args: UNCHECKED</P><P></P><P>The command allowed is "show", with Arg "permit ver", "permit interface", and "permit run"</P><P></P><P>This authorization set is then applied to the group, under the option "Assign a Shell Command Authorization set for any network device."</P><P></P><P>Enable option for that group is set to "Max Privilege for any AAA Client, level 15"</P><P></P><P>This configuration is then tested against two IOS switches, with the aaa commands as follow:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization commands 15 default group tacacs+ local</P><P></P><P>The problem I am having is that when an user that falls under this group logs in, he/she can issue commands such as show ver, show run, and show int just like I would expect it to. Any command that doesn't start with a show.... is denied. However, other show commands that are not listed in the Args will work, while some won't. For example, "show arp" and "show vlan" worked, while "show accounting" and "show buffer" didn't. What am I missing?</P><P> </P> Sun, 10 Mar 2019 14:26:32 GMT dtangent 2019-03-10T14:26:32Z https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142944#M436051 <P>I ran into this issue with both ACS 3.1 and ACS 3.2</P><P></P><P>A shell command authorization set is created under the shared profile components with the following settings:</P><P></P><P>Unmatched Commands: deny</P><P>Permit Unmatched Args: UNCHECKED</P><P></P><P>The command allowed is "show", with Arg "permit ver", "permit interface", and "permit run"</P><P></P><P>This authorization set is then applied to the group, under the option "Assign a Shell Command Authorization set for any network device."</P><P></P><P>Enable option for that group is set to "Max Privilege for any AAA Client, level 15"</P><P></P><P>This configuration is then tested against two IOS switches, with the aaa commands as follow:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization commands 15 default group tacacs+ local</P><P></P><P>The problem I am having is that when an user that falls under this group logs in, he/she can issue commands such as show ver, show run, and show int just like I would expect it to. Any command that doesn't start with a show.... is denied. However, other show commands that are not listed in the Args will work, while some won't. For example, "show arp" and "show vlan" worked, while "show accounting" and "show buffer" didn't. What am I missing?</P><P> </P> Sun, 10 Mar 2019 14:26:32 GMT https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142944#M436051 dtangent 2019-03-10T14:26:32Z https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142945#M436052 <HTML><HEAD></HEAD><BODY><P>commands that are working without you defining them explicitly are of lower Privilege level than 15... eg; 'show arp' is a Priv-1 command, hence it is execuatbel without command authorization as you are not doing command authorization for Priv-1.</P><P></P><P></P><P>Router&gt;sh priv </P><P>Current privilege level is 1</P><P>Router&gt;</P><P>Router&gt;</P><P>Router&gt;show arp</P><P>Protocol Address Age (min) Hardware Addr Type Interface</P><P>Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0</P><P>Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0</P><P>Router&gt;</P><P>Router&gt;</P></BODY></HTML> Tue, 12 Aug 2003 05:33:50 GMT https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142945#M436052 yusuff 2003-08-12T05:33:50Z https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142946#M436053 <HTML><HEAD></HEAD><BODY><P>Adding the aaa command, "aaa authorization commands 1 default group tacacs+ local" fixed it. Thanks for the response.</P></BODY></HTML> Tue, 12 Aug 2003 15:57:26 GMT https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142946#M436053 dtangent 2003-08-12T15:57:26Z https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142947#M436054 <HTML><HEAD></HEAD><BODY><P>I have the same problem, and adding the "aaa authorization commands 1 default group tacacs+" command the results is the same: it doesn't work correctly...</P><P></P><P>I have: </P><P>"Unmatched Cisco IOS commands"---&gt; Deny</P><P>"Command"---&gt; show</P><P>"Arguments"---&gt; permit ip route</P><P>"Unlisted arguments"---&gt; deny</P><P></P><P>These parameters are the same in the group and in the user setting, but I've tried several solution, with no good results...</P><P></P><P>The version of CiscoSecure is 2.4 for WinNT. </P><P>There is a solution?</P><P></P><P></P></BODY></HTML> Wed, 03 Sep 2003 14:06:59 GMT https://community.cisco.com/t5/network-access-control/problem-with-shell-command-authorization/m-p/142947#M436054 m.penta 2003-09-03T14:06:59Z