Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1910
Views
0
Helpful
8
Replies

Shell Command Authorization Sets ACS

Gerson Acevedo
Level 1
Level 1

ā€Ž04-29-2011 03:52 AM - edited ā€Ž03-10-2019 06:02 PM

hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

but still all my user  can use all the commands


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
tacacs-server host 192.168.20.2 key cisco
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
!
!
end

i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands

heres my share profile

name-------------admin jr

Description---------for jr admin

unmatched commands------- ()permit  (x)deny
permint unmatched args()

enable
show -------------------------- permit version<cr>
permit runnig-config<cr>


then i add this profifle to group 2 and then i add my user to the group 2

then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?

can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

Labels:
0 Helpful
8 Replies 8

Nicolas Darchis
Cisco Employee
Cisco Employee

ā€Ž04-29-2011 05:16 AM

ACS 4 or 5 ?

On ACS, do you see authorization logs where the switch tries to ask for authorization for each command typed ?

0 Helpful

Gerson Acevedo
Level 1
Level 1
In response to Nicolas Darchis

ā€Ž04-29-2011 05:52 AM

is 4.2 for server 2003

and is a router my device and abouit the logs i am not using accounting  in my router yet that was the next step in my configuration but i am stuck here with authorization

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Gerson Acevedo

ā€Ž04-29-2011 06:19 AM

I didn't say accounting. What do you see in "Tacacs authorization" logs on acs ?

0 Helpful

Gerson Acevedo
Level 1
Level 1
In response to Nicolas Darchis

ā€Ž04-29-2011 06:31 AM

excuse i cant find that option in the acs where is it?

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Gerson Acevedo

ā€Ž04-29-2011 06:36 AM

reports and activity -> Tacacs+ administration

0 Helpful

Gerson Acevedo
Level 1
Level 1
In response to Nicolas Darchis

ā€Ž04-29-2011 06:54 AM

its in blank nothin appears  neither in the passed authentification log weird but ican log in using the tacacs+ all  my users there works

0 Helpful

Vamsi Pinnaka
Level 1
Level 1

ā€Ž04-30-2011 09:59 AM

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.

Correct me if I am wrong."

Regards

Vamsi

0 Helpful

Gerson Acevedo
Level 1
Level 1
In response to Vamsi Pinnaka

ā€Ž05-01-2011 09:18 PM

solve it it didnt work the first time because i try it with the console after i try this config via telnet (log in) my users cant use all commands just the commands i added to the shell list

this config works

0 Helpful
Customers Also Viewed These Support Documents