Cisco ACS 5.2 command set

santosh.kotkar · ‎08-30-2011

Hi

In Cisco ACS 5.2 I have two groups.

Group1--Full access group

Group2--Read only group

I would like to block following commands for group 2 which is ready only users. These user group has access only till EXEC mode and they are

able to run all show commands.

show tech-supports

telnet

ssh

rlong

Can anyone help on this please ?

Regards

Santosh Kotkar

Javier Henderson · ‎08-31-2011

Create a shell command set authorizing only what you want the users to execute.

In the authorization policy screen click Customize, move "command sets" to the right column, click OK.

Now create an authorization policy that triggers on group membership and assign the shell command set to it.

santosh.kotkar · ‎08-31-2011

Hi Javier

I have Level-2 support group and would like to revoke show tech-support, telnet and ssh command access only but its not working, still these user can run these commands.

I have allowed clear counters which is working fine.

I have attached screenshot, is there any idea or I am making any mistake in command set ?

Regards

Santosh

Nicolas Darchis · ‎08-31-2011

Please also take a screenshot of the authorization rule that your level 2 support team is matching so we know what you are assigning them

santosh.kotkar · ‎08-31-2011

Hi Nicolas

Here are some screenshot of Authorization rule

Thanks

Santosh

Nicolas Darchis · ‎08-31-2011

Strange. It looks good.

Maybe you can look on "monitoring and reports"-> aaa catalog-> tacacs authorization, for commands that got authorized to level2 users but that shouldn't have been authorized. If you click on the magnifying glass for details, you should see why ACS authorized.

santosh.kotkar · ‎09-01-2011

Authorization is just showing allowed command set

Still not sure what's going on

Following are the logs, just showing allowed but not showing actaul command

Nicolas Darchis · ‎09-01-2011

Your first screenshot shows that show run and conf t were denied ...

I don't get what is the problem then ??

santosh.kotkar · ‎09-01-2011

"Show run and config t" is already deny for level 2 users, which is correct.

The problem is "show tech-support, telnet and ssh" commands are allowed which we would like to revoke for level 2 users.

In my first screenshot these are the command sets I have created to stop access. Some reason they are still working.

I hope you got my issues. Thanks

Regards

Santosh

santosh.kotkar · ‎09-01-2011

Sorry previous screenshot was confusing, this updated/current screenshot

Nicolas Darchis · ‎09-01-2011

fair enough. But your passed/failed authentication screenshot does not show a telnet or ssh command that should have been denied but was accepted. That's what we're interested in.

santosh.kotkar · ‎09-01-2011

Yes, Authorization logs are not showing all details. just now I have run those commands (telnet, ssh and

show tech-support unprivileged) but its showing status "passed" nothing more details

santosh.kotkar · ‎09-05-2011

Any suggestion guys ?

Thanks

Santosh

Nicolas Darchis · ‎09-05-2011

No no, you missed something. If the user types "telnet", you should have a passed entry for command "telnet" on ACS and it seems you don't !

That means that the switch never asks ACS to authorize that command or not ...

switch config issue ?