topic Re: Users authorized commands in Network Access Control

Users authorized commands

rrcarter79 — Sun, 10 Mar 2019 14:06:43 GMT

I want to restrict some users to "show running-config" command.

I have created a Shell Command Authorization Set with "show" command "permit running-config". Under the TACACS+ setting the Shell (exec) is selected and Privilege level with a value of 5. The SCAS is associated to the username.

Config on a Router:

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization exec vty group tacacs+ local

aaa authorization commands 5 vty group tacacs+

...

line vty 0 4

exec-timeout 30 0

password ***Deleted****

authorization exec vty

The user gets the privilege of 5 when logged in but is unable to execute the command show running-config.

Thanks

Re: Users authorized commands

4brown — Wed, 15 Jan 2003 19:34:19 GMT

sh run is a priv lvl 15 command by default. You can change it to level 5 with the:

privilege exec level 5 show running-config

command.

Re: Users authorized commands

rrcarter79 — Wed, 15 Jan 2003 20:33:17 GMT

Yes that does work, but I would rather set this up using the Shell Command Authorization Set with the ACS server.

There are many more commands to include for different users and configuring every router and switch with each command required is a very large task.

How is this done with Shell Command Authorization Sets?

Thanks

Re: Users authorized commands

4brown — Wed, 15 Jan 2003 20:43:40 GMT

Do you have:

authorization commands 5 vty

on the line vty ports? Wasn't specified in your earlier post.

Re: Users authorized commands

rrcarter79 — Wed, 15 Jan 2003 21:29:46 GMT

Sorry - yes it is.

Re: Users authorized commands

4brown — Thu, 16 Jan 2003 00:57:04 GMT

Try quoting "running-config"

If that doesn't work, try just permitting "run".

Pasting debug aaa authorization and debug tacacs+ may help identify the issue.

Re: Users authorized commands

rrcarter79 — Thu, 16 Jan 2003 03:28:36 GMT

Using quotes does not work. The parameters inclosed in quotes disappears.

So I tried just permit run.

I logged in with username "username".

I gain access and get a priv of 5 and a # sign prompt.

Issue a sho run and receive an error.

------ Login Session ----------

Username: username

Password:

LabrtrB#sho priv

Current privilege level is 5

LabrtrB#

LabrtrB#sho run

% Invalid input detected at '^' marker.

LabrtrB#

Here are the debugs:

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): Port='tty2' list='vty' service=EXEC

Jan 15 22:11:52.728: AAA/AUTHOR/EXEC: tty2 (3878016830) user='username'

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): send AV service=shell

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): send AV cmd*

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): found list "vty"

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): Method=tacacs+ (tacacs+)

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): user=username

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): send AV service=shell

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): send AV cmd*

Jan 15 22:11:52.932: AAA/AUTHOR (3878016830): Post authorization status = PASS_ADD

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV priv-lvl=5

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Authorization successful

Jan 15 22:12:49.963: AAA/MEMORY: free_user (0x629A26BC) user='username' ruser=''

port='tty2' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

LabrtrB#debug tacacs

TACACS access control debugging is on

LabrtrB#

Jan 15 22:13:50.599: TAC+: send AUTHEN/START packet ver=192 id=1365478173

Jan 15 22:13:50.599: TAC+: Using default tacacs server-group "tacacs+" list.

Jan 15 22:13:50.599: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

Jan 15 22:13:50.599: TAC+: Opened TCP/IP handle 0x62A8E470 to x.x.x.x/49

Jan 15 22:13:50.599: TAC+: x.x.x.x (1365478173) AUTHEN/START/LOGIN/ASCII queued

Jan 15 22:13:50.799: TAC+: (1365478173) AUTHEN/START/LOGIN/ASCII processed

Jan 15 22:13:50.799: TAC+: ver=192 id=1365478173 received AUTHEN status = GETUSER

Jan 15 22:13:53.499: TAC+: send AUTHEN/CONT packet id=1365478173

Jan 15 22:13:53.503: TAC+: x.x.x.x (1365478173) AUTHEN/CONT queued

Jan 15 22:13:53.703: TAC+: (1365478173) AUTHEN/CONT processed

Jan 15 22:13:53.703: TAC+: ver=192 id=1365478173 received AUTHEN status = GETPASS

Jan 15 22:13:55.435: TAC+: send AUTHEN/CONT packet id=1365478173

Jan 15 22:13:55.435: TAC+: x.x.x.x (1365478173) AUTHEN/CONT queued

Jan 15 22:13:55.635: TAC+: (1365478173) AUTHEN/CONT processed

Jan 15 22:13:55.635: TAC+: ver=192 id=1365478173 received AUTHEN status = PASS

Jan 15 22:13:55.635: TAC+: Closing TCP/IP 0x62A8E470 connection to x.x.x.x/49

Jan 15 22:13:55.635: TAC+: using previously set server x.x.x.x from group tacacs+

Jan 15 22:13:55.635: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

Jan 15 22:13:55.639: TAC+: Opened TCP/IP handle 0x62A8E8FC to x.x.x.x/49

Jan 15 22:13:55.639: TAC+: Opened x.x.x.x index=1

Jan 15 22:13:55.639: TAC+: x.x.x.x (305665778) AUTHOR/START queued

Jan 15 22:13:55.839: TAC+: (305665778) AUTHOR/START processed

Jan 15 22:13:55.839: TAC+: (305665778): received author response status = PASS_ADD

Jan 15 22:13:55.839: TAC+: Closing TCP/IP 0x62A8E8FC connection to x.x.x.x/49

Jan 15 22:13:55.839: TAC+: Received Attribute "priv-lvl=5"

Re: Users authorized commands

4brown — Thu, 16 Jan 2003 23:33:12 GMT

The IOS doesn't recognize the command because you are coming in at Privilege Level 5. If you don't want to use the Privilege Exec command, try this. Assign this group Privilege Level 15, and enforce authorization for priv 15:

aaa authorization commands 15 vty tacacs+

line vty 0 4

authorization commands 15 vty

Then, for this group, deny all the commands you want. sh run will be permitted since they are priv 15, but the commands you deny in the ACS will be denied.

Re: Users authorized commands

rrcarter79 — Fri, 17 Jan 2003 23:13:37 GMT

Actually I assigned the priv level 15 to the user.

router config:

aaa authorization commands 15 vty group tacacs+

line vty 0 4

exec-timeout 30 0

password 7 082C5F4B05180719171F

authorization commands 15 vty

authorization exec vty

Then for the user I allow the command sho running-config. Since this is the only priv level 15 command the user can run, it shows the configuration.

So the commands don't have to be assigned to a different level. This process assigns the onyl commands the user can execute.

Understanding this now lets me customize the commands any user can execute. This is what I was wanting to do.

Thanks for the help! I have a much better understanding now.

Re: Users authorized commands

rrcarter79 — Fri, 17 Jan 2003 23:42:59 GMT

I spoke too soon.

I am not able to control the configuration commands.

For example letting a user only change description on a line.

Re: Users authorized commands

4brown — Fri, 17 Jan 2003 23:50:15 GMT

Command authorization for config mode commands needs to be permitted:

aaa authorization config-commands

If this is not enabled, once in config mode, no requests are sent to the AAA server.

Re: Users authorized commands

rrcarter79 — Sat, 18 Jan 2003 00:36:59 GMT

I've added aaa authorization config-commands to no avail.

I assume it will authorize config-commands against the command authorization set.

The only config-command that I have in the command authorization set is "location"

Re: Users authorized commands

4brown — Sat, 18 Jan 2003 00:58:17 GMT

Post debug aaa author showing it fail...

Re: Users authorized commands

rrcarter79 — Tue, 21 Jan 2003 16:57:52 GMT

Here is the login session and debug. I have allowed "config" with "permit term" and "location".

I don't want the user to access the interfaces or lines.

Unauthorized access is strictly prohibited!

User Access Verification

Username: username

Password:

LabrtrB#config t

Enter configuration commands, one per line. End with CNTL/Z.

LabrtrB(config)#line vty 0 4

LabrtrB(config-line)#ex

% Ambiguous command: "ex"

LabrtrB(config-line)#exit

LabrtrB(config)#

LabrtrB(config)#end

LabrtrB#

Debug:

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 21 11:51:02.300: AAA: parse name=tty3 idb type=-1 tty=-1

Jan 21 11:51:02.300: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jan 21 11:51:02.300: AAA/MEMORY: create_user (0x629B4624) user='' ruser='' port='tty3' rem_addr='16.47.225.189' authen_type=ASCII service=LOGIN priv=1

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): Port='tty3' list='vty' service=EXEC

Jan 21 11:51:11.960: AAA/AUTHOR/EXEC: tty3 (559394384) user='username'

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): send AV service=shell

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): send AV cmd*

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): found list "vty"

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): Method=tacacs+ (tacacs+)

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): user=username

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): send AV service=shell

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): send AV cmd*

Jan 21 11:51:12.164: AAA/AUTHOR (559394384): Post authorization status = PASS_ADD

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Authorization successful

Jan 21 11:51:15.188: tty3 AAA/AUTHOR/CMD (3225337257): Port='tty3' list='vty' service=CMD

Jan 21 11:51:15.188: AAA/AUTHOR/CMD: tty3 (3225337257) user='username'

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV service=shell

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd=configure

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd-arg=terminal

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd-arg=

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): found list "vty"

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): Method=tacacs+ (tacacs+)

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): user=username

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV service=shell

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd=configure

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd-arg=terminal

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd-arg=

Jan 21 11:51:15.392: AAA/AUTHOR (3225337257): Post authorization status = PASS_ADD

Jan 21 11:51:20.420: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:26.816: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:32.408: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:32.408: %SYS-5-CONFIG_I: Configured from console by username on vty1 (16.47.225.189)

Jan 21 11:51:42.128: %SYS-4-SNMP_WRITENET: SNMP WriteNet request. Writing current configuration to 16.22.4.5un all

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): Port='tty2' list='vty' service=CMD

Jan 21 11:51:48.048: AAA/AUTHOR/CMD: tty2 (1731012520) user='admin'

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV service=shell

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd=undebug

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd-arg=all

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd-arg=

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): found list "vty"

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): Method=tacacs+ (tacacs+)

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): user=admin

All possible debugging has been turned off

LabrtrB#

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV service=shell

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd=undebug

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd-arg=all

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd-arg=

Jan 21 11:51:48.252: AAA/AUTHOR (1731012520): Post authorization status = PASS_ADD

Re: Users authorized commands

4brown — Tue, 21 Jan 2003 17:17:43 GMT

You need to have config-command authorization as specified in the previous post so it sends commands in config mode to the aaa server for approval. Note in your post, config command authorization is not configured.

Once it is, it will send each command in config mode to be permitted or denied to the AAA server. So if you want to deny access to line or interfaces, then specify these commands denied in the server.

When you enable it, look at your debug aaa authorization, you should see if the command is allowed or denied in the authorization status. That tells you if you have configuration issues in the AAA server.

Re: Users authorized commands

rrcarter79 — Tue, 21 Jan 2003 19:00:12 GMT

- config - session - debug

allows "line vty 0 4"

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec vty group tacacs+ local

aaa authorization exec console local

aaa authorization commands 5 vty group tacacs+

aaa authorization commands 15 vty group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Unauthorized access is strictly prohibited!

Username: username

Password:

LabrtrB#config t

Enter configuration commands, one per line. End with CNTL/Z.

LabrtrB(config)#line vty 0 4

LabrtrB(config-line)#end

LabrtrB#quit

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 21 13:47:34.842: AAA: parse name=tty3 idb type=-1 tty=-1

Jan 21 13:47:34.842: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jan 21 13:47:34.842: AAA/MEMORY: create_user (0x629C5BEC) user='' ruser='' port='tty3' rem_addr='16.47.207.61' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): Port='tty3' list='vty' service=EXEC

Jan 21 13:47:38.362: AAA/AUTHOR/EXEC: tty3 (1080771678) user='username'

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): send AV service=shell

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): send AV cmd*

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): found list "vty"

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): Method=tacacs+ (tacacs+)

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): user=username

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): send AV service=shell

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): send AV cmd*

Jan 21 13:47:38.566: AAA/AUTHOR (1080771678): Post authorization status = PASS_ADD

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Authorization successful

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): Port='tty3' list='vty' service=CMD

Jan 21 13:47:40.790: AAA/AUTHOR/CMD: tty3 (1219681448) user='username'

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV service=shell

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd=configure

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd-arg=terminal

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd-arg=

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): found list "vty"

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): Method=tacacs+ (tacacs+)

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): user=username

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV service=shell

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd=configure

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd-arg=terminal

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd-arg=

Jan 21 13:47:40.994: AAA/AUTHOR (1219681448): Post authorization status = PASS_ADD

Jan 21 13:47:45.006: AAA: parse name=tty4 idb type=-1 tty=-1

Jan 21 13:47:45.006: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0

Jan 21 13:47:45.006: AAA/MEMORY: create_user (0x62AAF52C) user='' ruser='' port='tty4' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:45.606: AAA/MEMORY: free_user (0x62AAF52C) user='' ruser='' port='tty4' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): Port='tty3' list='vty' service=CMD

Jan 21 13:47:47.490: AAA/AUTHOR/CMD: tty3 (1403778660) user='username'

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV service=shell

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd=line

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=vty

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=0

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=4

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): found list "vty"

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): Method=tacacs+ (tacacs+)

Jan 21 13:47:47.490: AAA/AUTHOR/TAC+: (1403778660): user=username

Jan 21 13:47:47.490: AAA/AUTHOR/TAC+: (1403778660): send AV service=shell

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd=line

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=vty

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=0

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=4

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=

Jan 21 13:47:47.694: AAA/AUTHOR (1403778660): Post authorization status = PASS_ADD

Jan 21 13:48:09.890: %SYS-5-CONFIG_I: Configured from console by username on vty1 (x.x.x.x)

Re: Users authorized commands

4brown — Tue, 21 Jan 2003 19:06:08 GMT

Note, the output shows the TAC+ server allowing the commands. Did you explicitly deny them? If so, check your configuration. I have never did this in CSNT but this is where the issue lies.

Re: Users authorized commands

rrcarter79 — Thu, 23 Jan 2003 18:39:53 GMT

I configured the commands that I want the users to be able to execute. I checked the box that deny and unmatched commands.

Commands allowed:

config - permit term

help

traceroute

ping

show

location

logout

Re: Users authorized commands

4brown — Sun, 26 Jan 2003 23:47:40 GMT

Just tested in the lab, worked fine.

I created a SCAS permitting the commands you want to permit. Unmatched commands was checked and the Permit Unmatched Arguments was not selected. The SCAS was assigned to the group.

For the location command, enter location as the command and whatever you argument you wish to permit, eg. , permit NMS.

The only difference, is I did not use a list for the vty ports, I used default. Here is my config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

Re: Users authorized commands

rbradfield — Tue, 04 Feb 2003 06:12:45 GMT

I want to do something similar to what you are doing, i want to have two groups in ACS, one that has a number of users that have full access to routers and, another group that can only do a show log, version and interfaces

After messing around for some time I came here and saw that I am not alone!

Can you post the working router config

I'll buy you a cold one next time you are in Ozz

regards Richard.