Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2393
Views
0
Helpful
4
Replies
Jon Eyes
Beginner
Beginner
‎07-16-2012 01:08 AM
‎07-16-2012 01:08 AM

ACS 4.2 Command Authorization

Hi Everyone,

This is my first post. And im not quite sure if this is the right place so here it is

I have several cisco devices and i want my colleauges to have a limited access to it wherein they're only allowed specific commands. So I put up an ACS 4.2 in place with user authenticated against active directory accounts.

Im done with the authentication part, and its perfectly working (i guess). I create three user group where i can attached a comman authorization sets

Shell command autorization sets

GROUP-80

Allow commands (the rest are deny)

show *

enable *

configure *

end *

exit *

GROUP-90

Deny commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

GROUP-100

Allow all

IOS Configuration

aaa new-model

aaa authentication login default local

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

aaa session-id common

aaa authentication login THEN1 group tacacs+ local

aaa authorization exec THOR1 group tacacs+ local

tacacs-server host 172.16.8.115 single-connection

tacacs-server host 172.16.8.112 single-connection

tacacs-server key 7 0300520C0F1B204F4F0A0A54

line vty 0 4

access-class 50 in

privilege level 15

authorization exec THOR1

login authentication THEN1

transport input ssh

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Amjad Abdullah
Engager
Engager
In response to Jon Eyes
‎07-16-2012 06:01 AM
‎07-16-2012 06:01 AM

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
4 REPLIES 4
Amjad Abdullah
Engager
Engager
‎07-16-2012 04:24 AM
‎07-16-2012 04:24 AM

What is you question?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Jon Eyes
Beginner
Beginner
In response to Amjad Abdullah
‎07-16-2012 04:55 AM
‎07-16-2012 04:55 AM

ow im sorry.. i forgot

how would i accomplish these via acs?

three groups. group 100, 90 and 80

group 100 - allow all commands

group 90 - allow all except these below commands ( * - any arguments) including all group-80 commands

clear configuration *

username *

no username *

tacacs-server *

no tacacs-server *

aaa *

no aaa *

line *

no line *

group 80 - allow only below commands

show *

enable *

configure *

end

exit

In my initial post is the IOS configuration of my routers/switches. Attached the group-90 shell command authorization set from ACS

Eventhough the user is at group-90, all of the commands are still being accepted by the device

Here's the debug from the console while I successfully login using a group-90 user account and typed "no tacacs-server...". Im expecting my commands will not be permitted but i was still able to execute it

Jul 16 11:49:59.502: %SSH-5-SSH2_USERAUTH: User 'sdesk' authentication for SSH2 Session from 172.16.11.225 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

Jul 16 11:49:59.510: TPLUS: Queuing AAA Authorization request 16475 for processing

Jul 16 11:49:59.510: TPLUS: processing authorization request id 16475

Jul 16 11:49:59.510: TPLUS: Protocol set to None .....Skipping

Jul 16 11:49:59.510: TPLUS: Sending AV service=shell

Jul 16 11:49:59.510: TPLUS: Sending AV cmd*

Jul 16 11:49:59.510: TPLUS: Authorization request created for 16475(sdesk)

Jul 16 11:49:59.510: TPLUS: using previously set server 172.16.8.115 from group tacacs+

Jul 16 11:49:59.510: TPLUS(0000405B)/0/IDLE/662A3E14: got immediate connect on new 0

Jul 16 11:49:59.510: TPLUS(0000405B)/0/WRITE/662A3E14: Started 5 sec timeout

Jul 16 11:49:59.514: TPLUS(0000405B)/0/WRITE: wrote entire 63 bytes request

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 12 header bytes (expect 6 bytes)

Jul 16 11:49:59.994: TPLUS(0000405B)/0/READ: read entire 18 bytes response

Jul 16 11:49:59.994: TPLUS(0000405B)/0/662A3E14: Processing the reply packet

Jul 16 11:49:59.994: TPLUS: received authorization response for 16475: PASS

It'll be greatly appreciated if you could help me figure this out

Thanks in advance...

0 Helpful
Amjad Abdullah
Engager
Engager
In response to Jon Eyes
‎07-16-2012 06:01 AM
‎07-16-2012 06:01 AM

Use this command on your router/switch

aaa authorization config-commands

http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017530

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
Jon Eyes
Beginner
Beginner
In response to Amjad Abdullah
‎08-29-2012 09:17 PM
‎08-29-2012 09:17 PM

Thanks Abdullah for the link

But it took me quite a while before i could correctly figure the sets of commands

Really appreciate your help

And for those of you who have the same case, here's a quick template you that you can follow

0 Helpful
Latest Contents
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
1
10
1
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Content for Community-Ad