05-10-2011 01:58 PM - edited 03-10-2019 06:04 PM
Greetings!
Have a conceptual question bout CLI command authorization. We have ASC 5.2 up and running, providing AAA services for network devices. Now I need to make profiles for users in certain group to restrict dem CLI "rights" to show, clear counters and show running-config commands. Could you please provide me link to some workflow I need to accomplish dis task. For example:
I should clrete separate privillege levele profile (let it be 2), specify commands at this level, assign Group this Authorization Prifile and make some additional changes in my devices (I meen "aaa authorization...." commands). Appreciate any link to documentation or live examples. Give Thanks!
Jah Rastafari bless & protect you I
Solved! Go to Solution.
05-14-2011 10:09 AM
Just tested it in my lab.
The trick is that to allow all show commands, your command set should permit "Show" and no argument mentionned.
What you permitted is "show *" which doesn't exist. the * is not a wildcard in the command set. "any argument" is achieved by leaving the argument field blank.
Regards,
Nicolas
05-10-2011 09:52 PM
You can simply do the following :
-On acs, define a shell profile and a command set for each of the different scenarios you have, allowing different commands.
-On acs still, in the authorization menu of your access policy (by default, it will go to "default device admin" normally), hit "customize" and chose that you want to assign both a command set and shell profile in the result.
-Create an authorization rule (if user group =x or y, then I assign this command set and shell profile)
You're good to go !
For any details on the above, I simply suggest the ACS user guide
05-11-2011 12:47 AM
Nicolas, what AAA config commands should I use in advanced in network devices?
Thank you man.
05-11-2011 02:23 AM
Well it depends on what device it is and what ios version it's running and if you do tacacs or radius ....
usually aaa authorization commands 1 ... aaa authorization commands 15 and aaa authorization enable ...
05-12-2011 01:54 AM
Allright, look now. There are 6 screenShots. Let's see my steps below.
Shot1 - I create "Shell Profile", named Enable 2.
Shot2 - create "Commands Sets" named Allow Show RunnConfig. For simplicity there is only "Allow show *"
Shot3 - create "Default Device Admin -> Authorization" policy named Network-3. I assign Shell profile there. Seems, this step is unnecessary, but just fi sure.
Shot4 - create "Device Administration -> Authorization" policy named IT Noc. I assign Shell and Command profiles there
When the user from target AD grop try to vty login to the network device authentication successed. But Authorization is failed, none of typed command is authorized. Here is the log from "Monitoring and Report" TACACS+ Authorization. Target username is "rk########"
Shot5 - General log
Shot6 - Detailed log record. As you can see, "Matched Command Set" is empty (!!!) fi dis user, but "Selected Command Set" is Allow Show RunnConfig (OK); "Autherization Policy Matched Rule" is IT Noc (OK).
What's the problem.
In addition, here is aaa commands from Cisco L3 Switch.
aaa authorization config-commands
aaa authorization exec default group ACS local
aaa authorization commands 0 default group ACS local
aaa authorization commands 1 default group ACS local
aaa authorization commands 2 default group ACS
aaa authorization commands 15 default group ACS local
Please, have a look!
05-12-2011 02:06 AM
your 5th screenshot shows that "Show running-config" was authorized by ACS. That's expected.
The 6th screenshot shows the command "exit" that was not authorized. Which is normal since your command set only allows "show *".
So I don't see what the problem is :-)
05-12-2011 04:30 AM
Problem is that ACS doesn't authorize (I meen allow) any command. No show run, nor show interfaces neither show priv etc. Do you get me?
05-12-2011 04:45 AM
I see a "show running-config" in green, so it looked authorized.
If so, please provide a screenshot of a "show' command that was supposed to be authorized and wasn't.
05-12-2011 04:58 AM
No man, this is for another user in another group, foget about it. As I mention befor, interesting user is rk#####. So, please concentrate around the Shot6 - it's detailded problem description. The screeen is about exit command, but be sure that there is the same error about show priv command.
Do you understand my goal? I just wanna creatre profiles for NOC team with only show * commands (show config also). Of cource there should be allowed such commands as exit. Do you heve hands-on experience with dis kind of situation?
05-12-2011 05:02 AM
I perfeclty understand what you are trying to achieve. But you don't seem to understand my point.
You say that ACS denies "show" commands when it should authorize them. Fine, I believe. But show us a screenshot.
The 6th screenshot you sent is for the command "Exit" where ACS was correct in denying it !
So how can people help if you show them screenshots of something that is expected, while the unexpected behavior is not seen on screenshots.
I'd like to see the reason why ACS rejects your show commands, but if you don't show that, I'm not sure how can people help you ...
My experience with "this kind of solution" is 4 years supporting ACS in TAC, so I think I have it covered.
05-12-2011 07:33 AM
05-14-2011 10:09 AM
Just tested it in my lab.
The trick is that to allow all show commands, your command set should permit "Show" and no argument mentionned.
What you permitted is "show *" which doesn't exist. the * is not a wildcard in the command set. "any argument" is achieved by leaving the argument field blank.
Regards,
Nicolas
05-16-2011 01:31 AM
Very nice, Thank you man.
The next question is what should I write in "Command Sets" section to authorize such commands as:
show running-config
clear counters
clear access-list counters
?
I have tried both cases: clear as a command and counters as an argument and clear counters as a single command. None of it works. And what about show running-config, I can't make it work.
Thank you in advanced.
05-16-2011 05:35 AM
???
If you permit "show" with no arguments, that means that "Show running-config" is already allowed implicitly. So not sure why you're adding that one too ??
I did a test command set where I just allowed command "show" with arguments "running-config" and I could do a show run on the switch but a show start was forbidden for example.
So all working as explained above
05-16-2011 05:54 AM
To be clear, I use command sets just like in shot10, but it doesn't works for show running. Moreover, when I type
# show running-config
on switch CLI it says - Invalid command and there are no attempts to authorize it on ACS - I don't see this commands in AAA Tacacs Authorization logs. But I can see successfull authorized commands such as show priv or telnet in logs. What it could be?
I remind you that I use Prive Level = 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide