08-30-2011 11:19 PM - edited 03-10-2019 06:21 PM
Hi
In Cisco ACS 5.2 I have two groups.
Group1--Full access group
Group2--Read only group
I would like to block following commands for group 2 which is ready only users. These user group has access only till EXEC mode and they are
able to run all show commands.
show tech-supports
telnet
ssh
rlong
Can anyone help on this please ?
Regards
Santosh Kotkar
08-31-2011 06:58 AM
Create a shell command set authorizing only what you want the users to execute.
In the authorization policy screen click Customize, move "command sets" to the right column, click OK.
Now create an authorization policy that triggers on group membership and assign the shell command set to it.
08-31-2011 05:42 PM
Hi Javier
I have Level-2 support group and would like to revoke show tech-support, telnet and ssh command access only but its not working, still these user can run these commands.
I have allowed clear counters which is working fine.
I have attached screenshot, is there any idea or I am making any mistake in command set ?
Regards
Santosh
08-31-2011 10:46 PM
Please also take a screenshot of the authorization rule that your level 2 support team is matching so we know what you are assigning them
08-31-2011 11:29 PM
Hi Nicolas
Here are some screenshot of Authorization rule
Thanks
Santosh
08-31-2011 11:36 PM
Strange. It looks good.
Maybe you can look on "monitoring and reports"-> aaa catalog-> tacacs authorization, for commands that got authorized to level2 users but that shouldn't have been authorized. If you click on the magnifying glass for details, you should see why ACS authorized.
09-01-2011 12:09 AM
Authorization is just showing allowed command set
Still not sure what's going on
Following are the logs, just showing allowed but not showing actaul command
09-01-2011 12:12 AM
Your first screenshot shows that show run and conf t were denied ...
I don't get what is the problem then ??
09-01-2011 04:31 PM
"Show run and config t" is already deny for level 2 users, which is correct.
The problem is "show tech-support, telnet and ssh" commands are allowed which we would like to revoke for level 2 users.
In my first screenshot these are the command sets I have created to stop access. Some reason they are still working.
I hope you got my issues. Thanks
Regards
Santosh
09-01-2011 04:47 PM
Sorry previous screenshot was confusing, this updated/current screenshot
09-01-2011 10:26 PM
fair enough. But your passed/failed authentication screenshot does not show a telnet or ssh command that should have been denied but was accepted. That's what we're interested in.
09-01-2011 11:04 PM
Yes, Authorization logs are not showing all details. just now I have run those commands (telnet, ssh and
show tech-support unprivileged) but its showing status "passed" nothing more details
09-05-2011 06:48 PM
Any suggestion guys ?
Thanks
Santosh
09-05-2011 11:17 PM
No no, you missed something. If the user types "telnet", you should have a passed entry for command "telnet" on ACS and it seems you don't !
That means that the switch never asks ACS to authorize that command or not ...
switch config issue ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide