cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
9245
Views
0
Helpful
26
Replies

ACS 5.2 commands Authorization

Dmitry Samko
Level 1
Level 1

Greetings!

Have a conceptual question bout CLI command authorization. We have ASC 5.2 up and running, providing AAA services for network devices. Now I need to make  profiles for users in certain group to restrict dem CLI "rights" to show, clear counters and show running-config commands. Could you please provide me link to some workflow I need to accomplish dis task. For example:

I should clrete separate privillege levele profile (let it be 2), specify commands at this level, assign Group this Authorization Prifile and make some additional changes in my devices (I meen "aaa authorization...." commands). Appreciate any link to documentation or live examples. Give Thanks!

Jah Rastafari bless & protect you I

1 Accepted Solution

Accepted Solutions

Just tested it in my lab.

The trick is that to allow all show commands, your command set should permit "Show" and no argument mentionned.

What you permitted is "show *" which doesn't exist. the * is not a wildcard in the command set. "any argument" is achieved by leaving the argument field blank.

Regards,

Nicolas

View solution in original post

26 Replies 26

Nicolas Darchis
Cisco Employee
Cisco Employee

You can simply do the following :

-On acs, define a shell profile and a command set for each of the different scenarios you have, allowing different commands.

-On acs still, in the authorization menu of your access policy (by default, it will go to "default device admin" normally), hit "customize" and chose that you want to assign both a command set and shell profile in the result.

-Create an authorization rule (if user group =x or y, then I assign this command set and shell profile)

You're good to go !

For any details on the above, I simply suggest the ACS user guide

Nicolas, what AAA config commands should I use in advanced in network devices?

Thank you man.

Well it depends on what device it is and what ios version it's running and if you do tacacs or radius ....

usually aaa authorization commands 1 ... aaa authorization commands 15 and aaa authorization enable ...

Allright, look now. There are 6 screenShots. Let's see my steps below.

Shot1 - I create "Shell Profile", named Enable 2.

Shot2 - create "Commands Sets" named Allow Show RunnConfig. For simplicity there is only "Allow show *"

Shot3 - create "Default Device Admin -> Authorization" policy named Network-3. I assign Shell profile there. Seems, this step is unnecessary, but just fi sure.

Shot4 - create "Device Administration -> Authorization" policy named IT Noc. I assign Shell and Command profiles there

When the user from target AD grop try to vty login to the network device authentication successed. But Authorization is failed, none of typed command is authorized. Here is the log from "Monitoring and Report" TACACS+ Authorization. Target username is "rk########"

Shot5 - General log

Shot6 - Detailed log record. As you can see, "Matched Command Set" is empty (!!!) fi dis user, but "Selected Command Set" is Allow Show RunnConfig (OK); "Autherization Policy Matched Rule" is IT Noc (OK).

What's the problem.

In addition, here is aaa commands from Cisco L3 Switch.

aaa authorization config-commands
aaa authorization exec default group ACS local
aaa authorization commands 0 default group ACS local
aaa authorization commands 1 default group ACS local
aaa authorization commands 2 default group ACS
aaa authorization commands 15 default group ACS local

Please, have a look!

your 5th screenshot shows that "Show running-config" was authorized by ACS. That's expected.

The 6th screenshot shows the command "exit" that was not authorized. Which is normal since your command set only allows "show *".

So I don't see what the problem is :-)

Problem is that ACS doesn't authorize (I meen allow) any command. No show run, nor show interfaces neither show priv etc. Do you get me?

I see a "show running-config" in green, so it looked authorized.

If so, please provide a screenshot of a "show' command that was supposed to be authorized and wasn't.

No man, this is for another user in another group, foget about it. As I mention befor, interesting user is rk#####. So, please concentrate around the Shot6 - it's detailded problem description. The screeen is about exit command, but be sure that there is the same error about show priv command.

Do you understand my goal? I just wanna creatre profiles for NOC team with only show * commands (show config also). Of cource there should be allowed such commands as exit. Do you heve hands-on experience with dis kind of situation?

I perfeclty understand what you are trying to achieve. But you don't seem to understand my point.

You say that ACS denies "show" commands when it should authorize them. Fine, I believe. But show us a screenshot.

The 6th screenshot you sent is for the command "Exit" where ACS was correct in denying it !

So how can people help if you show them screenshots of something that is expected, while the unexpected behavior is not seen on screenshots.

I'd like to see the reason why ACS rejects your show commands, but if you don't show that, I'm not sure how can people help you ...

My experience with "this kind of solution" is 4 years supporting ACS in TAC, so I think I have it covered.

Well, excuse if I seems you rude. 4 years in cisco TAC you should be cool, no doubt.

There are my troubleShots.

Thank you for help!

Just tested it in my lab.

The trick is that to allow all show commands, your command set should permit "Show" and no argument mentionned.

What you permitted is "show *" which doesn't exist. the * is not a wildcard in the command set. "any argument" is achieved by leaving the argument field blank.

Regards,

Nicolas

Very nice, Thank you man.

The next question is what should I write in "Command Sets" section to authorize such commands as:

show running-config

clear counters

clear access-list counters

?

I have tried both cases: clear as a command and counters as an argument and clear counters as a single command. None of it works. And what about show running-config, I can't make it work.

Thank you in advanced.

???

If you permit "show" with no arguments, that means that "Show running-config" is already allowed implicitly. So not sure why you're adding that one too ??

I did a test command set where I just allowed command "show" with arguments "running-config" and I could do a show run on the switch but a show start was forbidden for example.

So all working as explained above

To be clear, I use command sets just like in shot10, but it doesn't works for show running. Moreover, when I type

# show running-config

on switch CLI it says - Invalid command and there are no attempts to authorize it on ACS - I don't see this commands in AAA Tacacs Authorization logs. But I can see successfull authorized commands such as show priv or telnet in logs. What it could be?

I remind you that I use Prive Level = 2.