04-18-2010 05:39 PM - edited 03-10-2019 05:04 PM
Hi
I am trying to set up command line filters to deny sniffer commands being entered. I have setup a Command Set and applied it to an Authorization Policy. The command filter works fine for commands in privileged mode. However, the filter doesn't work for any command that is entered in Config mode.
For a test I have setup a Command Set that will deny:
show clock
terminal length
show monitor
remote span
monitor session
The first three command are entered from the initial privilege mode and they are failed by the ACS. The last two commands can only be entered in config mode and the ACS does not stop them being entered.
I have attached two screenshots which show the Command Set configuration on the ACS and a Terminal session which commands are filtered and which are let through.
Has anyone else come across this problem? Is there something else I should be adding to the Command Set? Is this a bug?
There is a bug on the Cisco Website which relates to command filters:
I do not know if this bug applies to this issue as there is so little information on it. Also, if it does apply I do not understand the workaround to apply it to this situation.
Any advice would be greatly appreciated. - (ACS Version 5.1.0.44.2)
Cheers Dave
Solved! Go to Solution.
04-19-2010 09:35 AM
Do you have authorization for configuration mode on the router?
If not, add:
aaa authorization config-commands
04-19-2010 09:35 AM
Do you have authorization for configuration mode on the router?
If not, add:
aaa authorization config-commands
04-19-2010 05:56 PM
Thanks Javier that works a treat. We already had the following authorization commands in the aaa config:
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
The documentation stated that "Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level"
....so we though we already had the config commands covered. I guess not.
Many Thanks
Dave
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: