Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
15
Helpful
5
Replies

Add a command to a customized list in ACS (TACACS server )

shoaib sheikh
Level 1
Level 1

‎01-08-2015 04:07 AM - edited ‎03-10-2019 10:19 PM

Hello,

 

I have created a privilege 4 access in ACS server by navigating through:

Policy Elements > Authorization and Permissions  > Device Administration > Shell Profiles 

 

I want to add show run command to this group. Please let me know how I can do it.

 

See attached images for your reference.

 

Thanks.

Labels:
Preview file
14 KB
Preview file
37 KB
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎01-11-2015 12:20 AM

Hello Shoaib-

Unfortunately, allowing users below privilege level 15 to see the full config with "show run" is not as simple as it sounds. If a user has privilege level 4 then that user will only be able to view commands that he/she is authorized to change. In this case that will be only commands that are assigned to privilege level 4. Any configurations that are above privilege level 4 will not be displayed when the user issues "show run" For more info check this link:

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

There are a couple of different ways to get around this:

1. You can configure the user to be privilege level 15 but restrict the user to a set of commands by configuring a "Command Sets" and assigning it to the "Authorization Profile" for those users. In the command set you can only allow: show run, exit, logout, ping, etc. That way even though the user is with privilege level 15, he/she will not be able to execute any other commands

2. A second way is to allow the command show running-config view full in the "Commands Set" without the need to assign the user a privilege level of 15

I hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

shoaib sheikh
Level 1
Level 1
In response to nspasov

‎01-12-2015 12:00 AM

Hi Neno,

 

Thanks for valuable reply.

 

I chose option 1. Created privilege level 15, command sets. I am trying to create an authorization profile but not getting any option for mapping.

For your information, I am novice to ACS and dont know how to get this done.

 

Please provide me steps to do the same and see the attachment.

Preview file
1753 KB
Preview file
42 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to shoaib sheikh

‎01-12-2015 06:29 PM

Hello Shoaib-

No worries, I will help you out! :) So first things first. You need to edit your "Command Set" and correct the syntax. To allow "show run" you need to have it structured like this:

Grant=permit, Command=show, Arguments=running-config

Now, to "map" the "Command Set" you need to go to:

1. Access Policies > Access Services > Default Device Admin (Or the of the custom policy...in case you are not using the default one) > Authorization.

2. There you should have a rule for your "Privilege Level 4" users. Edit that rule and in Window you should see an option to attach a "Command Set" and this is where you will need to select the one you created. 

3. If you are not seeing the option to attach the "Command Set" close that pop-out window and click customize on the bottom right corner of the "Authorization" screen. Should be located next to another button called "Hit Count." In the newly opened window, select the "Command Sets" option from the "Available" custom results and use the arrows to move to the right window called "Selected"

4. Then go back to set #3 and try again

Let me know how it goes

 

Thank you for rating helpful posts! 

 

Thank you for rating helpful posts!

shoaib sheikh
Level 1
Level 1
In response to nspasov

‎01-13-2015 02:24 AM

Hello Neno,

 

I have corrected the command sets as per your advice. 

Then I have created a privilege level 15 shell profile (not privilege level 4 ).

But Access Policies > Access Services > Default Device Admin  location and under authorization I am unable to see the shell profile  (backup-- see attachment) I have created. 

It is displaying L1 access and L3 access shell profiles properly.  I think I am missing something.

Do let me know and see attachment for your reference and let me know if you need anything from my end.

 

 

Preview file
64 KB
Preview file
48 KB
Preview file
1355 KB
Preview file
341 KB
Preview file
1933 KB
Preview file
984 KB
Preview file
30 KB
Preview file
799 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to shoaib sheikh

‎01-14-2015 10:21 AM

You are almost there! You need to click on one of the rules (rule-1 or rule-3) or create a new rule on your "Authorization Page that you outlined in the screen shot called "access_services_1.jpg" Once you click one of the rules, you will get a new window and there you can attach the "Command Set"

I also found this cool video that will actually walk you step by step. Check it out:

https://www.youtube.com/watch?v=ywYSJ7i7HV4

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
Customers Also Viewed These Support Documents