04-12-2010 10:52 AM - edited 03-10-2019 05:03 PM
I use ACS ver 4.2, and set up the following configuration on the routers.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_auth local enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Everything works perfect, but I am trying to deny the 'show run' command using ACS command authorization sets. ( See attahment). All other commands are working, but no matter what I do the show run is un-sucessful. In the group, Max privilege for any AAA client set to 'Level 1'. and Shell (exec) is set to 'Privilege level 1 '. Any ideas?
04-12-2010 10:59 AM
04-12-2010 02:56 PM
Hi,
Please enable "debug aaa authorization" and "debug tacacs". It seems that device is not checking authorization status from ACS for "show run" command.
Issue can be due to IOS bug.
Regards,
~JG
Do rate helpful posts
04-18-2010 07:46 PM
I have tried this in a v4.1 ACS and can deny the show run and show clock commands but allow all the other show commands:
The AAA config on the test device (Version 12.2.18 EW2 IOS) is:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Here is the output:
TESTSWITCH01#show clock
Command authorization failed.
TESTSWITCH01#show run
Command authorization failed.
TESTSWITCH01#show calendar
12:13:26 AEST Mon Apr 19 2010
04-19-2010 09:34 AM
You cannot use "run", you have to use "running-config" (ie, it has to match what the router sends for authorization)
04-19-2010 07:31 PM
Hmmm... well "run" seems to work for "running-config" as well. Here is my test Command Authorization:
Here is the test:
router1#sh run
Command authorization failed.
router1#show running-config
Command authorization failed.
router1#show terminal
Line 167, Location: "", Type: "vt100"
Length: 56 lines, Width: 132 columns...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide