Re: strange problem with command authorisation on acs

sebastan_bach · ‎04-10-2006

hi i am having problem with command authorisation with acs. i am having a full version of acs 3.3

i have configured my router like this.

R1

aaa new-model

aaa authentication login default none

aaa authentication login john default group tacacs+

aaa authorization console

aaa authorization exec bob group tacacs+

aaa authroization commands 5 bob group tacacs+

aaa authroization commands 15 bob group tacacs+

line vty 0 4

login authentication john

authorization exec bob

authroization commands 5 bob

authorization commands 15 bob

on the acs i have specified per user shell command authorisation and i have created 2 users

john and bob

john is configured with level 15

unmatched commands are permitted with unmatched arguments

bob is the level 5 user configured with

unmatched commands (deny)

add command configure

arguments permit terminal

unmatched arguments (deny)

john gets authenticated and authroisaed properly.

bob get authenticated and authorised properly as level 5 user

but he can't see the configure command in the exec mode

when he triies to execute the command configure

in the debug

av-user=bob

av-service=shell

av-cmd=connect

av-cmd-arg=configure

i tried the same with john

av-user=john

av-service=shell

av-user=configure

av-cmd-arg=terminal

when the request is sent from the user john it show service none privilege=15

but for user bob it shows

service none privilege=1

why the command is showing as connect and the arg as configure for user bob. i am got no idea abt this. and it is working fine for john. what could be the problem can anyone help me with this pls.i have working a lot on this to get this working .

sebastan

darpotter · ‎04-11-2006

I could be off target here... but you seem to be using priv levels AND per command authorisation.

I've always thought it was either/or ?

sebastan_bach · ‎04-11-2006

hi there can u helpe me with my problem. i am frustrated with the cisco acs. i did everything as per the guidelines and still it doesn't work. pls help

sebastan

darpotter · ‎04-11-2006

Are you assigning user priv levels via the priv_level attribute (for the shell service) or via the enable login?

If you want per-command authorisation you could try doing away with all the priv-lvl stuff for commands.

Just enable the appropriate cmds/arguments for each user and try that.

Darran

sebastan_bach · ‎04-12-2006

hi darran u mean to say i have configure the privilege levels for users locally on the router for moving the commands from one privilege level to the other. is this what u are suggesting. waiting for ur reply.

sebastan

darpotter · ‎04-12-2006

Well it depends on what you're trying to achieve.

You do away with privilege levels and do it all via command authorisation. Or, you vice versa.

Are you trying authorise only those commands that are above a certain priv level?

sebastan_bach · ‎04-17-2006

hi potter. i learned one thing that we can only authorise commands with acs but we cannot move commands from one privilege level to the other from the acs directly.we have to move the commands first from the with the privilege command on the router locally then only i can authorise the commands for the user at that privilege level.

sebastan