Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
0
Helpful
4
Replies

Allow some show commands in AAA Authorization Set

Erik
Level 1
Level 1

‎06-21-2013 10:46 AM - edited ‎03-10-2019 08:34 PM

I'm working on creating AAA authorization sets for our environment and ran into a question!

I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.

Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?

ACS Version 4.1.

Command set is configured:

AAA_Auth.jpg

Labels:
0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-21-2013 10:53 AM

try to use deny running-config

In case it doesn't work, please get the "debug aaa authorization" and "debug tacacs"

what is your IOS side config?

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Erik
Level 1
Level 1
In response to Jatin Katyal

‎06-21-2013 11:12 AM

Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.

On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.

aaa group server tacacs+ SHS

server 10.10.11.200

!

aaa authentication login verifyme group TACACS+ local

aaa authorization config-commands

aaa authorization exec verifyme group TACACS+ local

aaa authorization commands 0 default group TACACS+

aaa authorization commands 1 default group TACACS+

aaa authorization commands 15 default group TACACS+

aaa accounting send stop-record authentication failure

aaa accounting exec verifyme start-stop group TACACS+

aaa accounting commands 15 default start-stop group TACACS+

aaa accounting network verifyme start-stop group TACACS+

aaa accounting system default start-stop group TACACS+

aaa session-id common

Debugs!

Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1

Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD

Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"

Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1

Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=

Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.

Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5

Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14

Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued

Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed

Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL

Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49

Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL

Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

0 Helpful

harvisin
Level 3
Level 3

‎06-30-2013 08:30 PM

Hello,

try out the following it will work definnately:-

permit run interface

deny all run

please apply in the particular order only....

0 Helpful

Erik
Level 1
Level 1
In response to harvisin

‎07-04-2013 08:43 AM

I tried setting it up this way, same issue.  If I set it up that way and test it, the interfaces still will not show (nor will anything else). 

SGAVEJ01#show run

Command authorization failed.

SGAVEJ01#sh run interface gi0/1

Command authorization failed.

0 Helpful
Customers Also Viewed These Support Documents