cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1012
Views
0
Helpful
2
Replies

ACS 5.1 - Command Line Filters not working in Config Mode

rodmunch999
Level 1
Level 1

Hi

I am trying to set up command line filters to deny sniffer commands being entered. I have setup a Command Set and applied it to an Authorization Policy. The command filter works fine for commands in privileged mode. However, the filter doesn't work for any command that is entered in Config mode.

For a test I have setup a Command Set that will deny:

show clock

terminal length

show monitor

remote span

monitor session

The first three command are entered from the initial privilege mode and they are failed by the ACS. The last two commands can only be entered in config mode and the ACS does not stop them being entered.

I have attached two screenshots which show the Command Set configuration on the ACS and a Terminal session which commands are filtered and which are let through.

Has anyone else come across this problem? Is there something else I should be adding to the Command Set? Is this a bug?

There is a bug on the Cisco Website which relates to command filters:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf08567

I do not know if this bug applies to this issue as there is so little information on it. Also, if it does apply I do not understand the workaround to apply it to this situation.

Any advice would be greatly appreciated. - (ACS Version 5.1.0.44.2)

Cheers Dave

1 Accepted Solution

Accepted Solutions

Do you have authorization for configuration mode on the router?

If not, add:

aaa authorization config-commands

View solution in original post

2 Replies 2

Do you have authorization for configuration mode on the router?

If not, add:

aaa authorization config-commands

Thanks Javier that works a treat. We already had the following authorization commands in the aaa config:

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

The documentation stated that "Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level"

....so we though we already had the config commands covered. I guess not.

Many Thanks

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: