Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
0
Helpful
2
Replies

Shell command authorization

Go to solution
stretchlad
Level 1
Level 1

‎10-26-2005 01:58 AM - edited ‎03-10-2019 02:21 PM

Hi all

I am having a problem with Shell Command Authorization. I have a user setup who I only want to be able to display the config, this is for automated config archival on an hourly basis.

I have configuered the device with the following aaa commands:

aaa new-model

aaa group server tacacs+ ACS

aaa authentication login default group ACS

aaa authentication login NOAUTH none

aaa authorization config-commands

aaa authorization exec default group tacacs+ group ACS

aaa authorization exec NOAUTH none

aaa authorization commands 15 default group ACS

aaa authorization commands 15 NOAUTH none

aaa accounting commands 15 default start-stop group ACS

The static account I have configured logs in ok and can show config etc. Access to conf t is disabled which is good but for some reason he can do any show command instead of just show run which is all I have allowed in the Shell command authorization.

Unmatched commands is set to deny and permit unmatched arguements is unchecked.

ACS is 3.3(2) and the switch I am testing is running 12.1(9)EA1

Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎10-26-2005 10:10 PM

Most "show" command are level 1 commands. You can verify this by logging in as a normal user, issue a "sho priv" to ensure you're at level 1, and then type "sho ip route", "sho ver", etc, you'll see that all of them work fine.

Your AAA commands only tell the switch to authorize level 15 commands, so when you do a "sho ver" or the like this command will not be sent off to the ACS server for authorization.

If you add the following:

aaa authorization commands 1 default group ACS

then that shoud fix it, but be careful because it's easy to lock yourself out of being able to get into enable mode (add "enable" into your command set too).

You should also have noticed that all those "show" commands weren't being accounted either, because you have also only enabled accounting for level 15 commands.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎10-26-2005 10:10 PM

Most "show" command are level 1 commands. You can verify this by logging in as a normal user, issue a "sho priv" to ensure you're at level 1, and then type "sho ip route", "sho ver", etc, you'll see that all of them work fine.

Your AAA commands only tell the switch to authorize level 15 commands, so when you do a "sho ver" or the like this command will not be sent off to the ACS server for authorization.

If you add the following:

aaa authorization commands 1 default group ACS

then that shoud fix it, but be careful because it's easy to lock yourself out of being able to get into enable mode (add "enable" into your command set too).

You should also have noticed that all those "show" commands weren't being accounted either, because you have also only enabled accounting for level 15 commands.

0 Helpful

Go to solution
stretchlad
Level 1
Level 1
In response to gfullage

‎11-02-2005 03:41 AM

Thank you for your very helpful respeonse.

Nick

0 Helpful
Customers Also Viewed These Support Documents