Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
5
Replies

couldn't get command set working on acs5.3

Go to solution
kerim mohammed
Level 3
Level 3

‎11-29-2012 08:00 AM - edited ‎03-10-2019 07:50 PM

Hi,

I configured, command set on ACS5.3 so that it allows to run the show command only. The corresponding shell profile is set to privelege level 15. I couldn't get it working. users are still able to run any command. how do i get this working.

Thanks,

Kerim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mauzamor
Level 1
Level 1
In response to kerim mohammed

‎11-29-2012 09:25 AM

You are missing the "authorization" commands.

For example depending on what you need to check with ACS you will have to use:

aaa authorization command 15 default group tacacs+ if-authenticated

aaa authorization command 1 default group tacacs+ if-authenticated

aaa authorization command 0 default group tacacs+ if-authenticated

The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.

Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.

Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.

Let me know how it goes.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mauzamor
Level 1
Level 1

‎11-29-2012 08:03 AM

Hi there,

Which is your current AAA configuration in the client? Type "show runn | i aaa" and paste here the output. Also share with us a screenshot of your Command Set and Authorization rule.

0 Helpful

Go to solution
kerim mohammed
Level 3
Level 3
In response to mauzamor

‎11-29-2012 09:02 AM

this is the command set:

Authorization: the last one

Authorization profile (shell profile):

thanks,

Let me know if you need more info.

0 Helpful

Go to solution
mauzamor
Level 1
Level 1
In response to kerim mohammed

‎11-29-2012 09:25 AM

You are missing the "authorization" commands.

For example depending on what you need to check with ACS you will have to use:

aaa authorization command 15 default group tacacs+ if-authenticated

aaa authorization command 1 default group tacacs+ if-authenticated

aaa authorization command 0 default group tacacs+ if-authenticated

The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.

Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.

Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.

Let me know how it goes.

0 Helpful

Go to solution
kerim mohammed
Level 3
Level 3
In response to mauzamor

‎11-29-2012 10:19 AM

thanks! that took care of it.

0 Helpful

Go to solution
mauzamor
Level 1
Level 1
In response to kerim mohammed

‎11-29-2012 10:29 AM

Glad to hear the good news.

Have a nice day.

0 Helpful
Customers Also Viewed These Support Documents