cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2198
Views
0
Helpful
16
Replies

Authorization in ACS 5.2

marcelnjkoks
Level 1
Level 1

In ACS 5.2, when i add custom a shell profile to a rule in an authorization policy (used in a TACAS access service) it seems to be skipped.

I can see the rule is hit because the hitcount number increases (it hits because of the group id), and when i set the shell profile to deny access (as test), access is actually rejected. So i know the rule is hit, but anything i put in my custom shell profile at the common tasks tab (like an auto command or default/maximum privilege level) is not used.

The same goes for commands sets. When i add the set 'deny all commands' the user is still able to exceute all commands, although the rule is hit based on the group ID the user belongs to.

I must be doing something wrong, but i can't find my mistake.

16 Replies 16

Nicolas Darchis
Cisco Employee
Cisco Employee

Well indeed, you must be doing something wrong :-)

Can you post a few screenshots of your authorization rules, shell profiles and so on so that we can comment ?

Hi Nic,

I am also facing the same challenge. When I check the "AAA Protocol -> Tacacs Authorization" in Monitoring & Reports, I dont see any logs/reports but the hit counter keeps on incrementing.

@ Edward; Same here, no authorization logging.

@ Nicolas; thanks for picking this up.

First of all, these are my AAA lines in the test 2901, running IOS 15.0.

aaa authentication login ACS-TAC group tacacs+ local

aaa authorization exec ACS-TAC group tacacs+ local

aaa authorization commands 0 ACS-TAC group tacacs+ local

aaa authorization commands 1 ACS-TAC group tacacs+ local

aaa authorization commands 15 ACS-TAC group tacacs+ local

I created a new Access service, of which the Identity part is working fine.

These rules are in the authorization policy:

This is rule1:

This is the Shell profile, just for test:

The command set is easy, denyallcommands. I want to add a specific command set for our service desk, but not before i can get it to work.

When i change the Shell profile of rule1 to DenyAccess i am not able to logon with the service desk account, so it looks like the authorization rule is actually used.

2 things cross my mind.

1) Have you tried assigning "permit access" AND AEAdmin as shell profiles ?

2) I have seen already the ACS config manager process hang. So all was working except that new config changes were not applied. Try to reboot your ACS to see if it changes something.

Hi Nicolas:

Nicolas Darchis wrote:

2 things cross my mind.

1) Have you tried assigning "permit access" AND AEAdmin as shell profiles ?

2) I have seen already the ACS config manager process hang. So all was working except that new config changes were not applied. Try to reboot your ACS to see if it changes something.

1: Can't do that. Can select only 1 shell profile at a time.

2: Just did because i had to adjust clock timezone settings.

1) My bad. I confused with "authorization profile" which you can stack.

Then I don't know, it's very strange.

I would advise a TAC case if you can to look at this closer

Ok, so it should work the way i have it setup now?

Hi Marc,

What version are you running? 5.2.0.26.x?

I wanted to try and upgrade to the latest patch to see if it is a bug issue but I dont have access to the patches. Do you have the latest patch i.e. x = 5?

Maybe you can try that then tell me if it works. Also, if you contact TAC, kindly give me the input so that I ca see if I can resolve my issue also.

Yep, 5.2.0.26.

So probably not the latest patch. Should have access to it...

Hmm, patch won't install:

NLAMS03-ACS01/admin# acs patch install 5-2-0-26-5.tar.gpg repository Updates

chmod: cannot access `*.sh': No such file or directory

Invalid patch '5-2-0-26-5.tar.gpg' - missing install.sh

% Error: Failure to open / validate the patch

It downloads the patch from my TFTP server, but it fails during install.

Hi Marc,

Rename the file to

5-2-0-26-5.tar.tar and try to unzip it.

In short, play around with the file name.

Tried that, but it seems it expects the default filename:

NLAMS03-ACS01/admin# acs patch install 5-2-0-26-5.tar.tar repository Updates

Cannot find patch file '5-2-0-26-5.tar.gpg'

% Error: Failure to open / validate the patch

The ACS did download the patch from my TFTP server, but after that this message appeared.

Found the issue;

TFTP is not supported for upgrading ACS. It's in the documentation as well:

tftp:

Source or destination URL for a TFTP network server. Use url  tftp://server/path1.


Note You cannot use a  TFTP repository for performing ACS upgrade.


Used FTP and it works...

Working with supplier support now to get the authorization issue resolved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: