04-13-2009 01:04 PM - edited 03-10-2019 04:26 PM
I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?
Solved! Go to Solution.
04-14-2009 12:15 PM
Do you have these authorization commands configured?
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1 key cisco123
Debug aaa author should display:
AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'
AAA/AUTHOR/CMD (2846421758): send AV service=shell
AAA/AUTHOR/CMD (2846421758): send AV cmd=show
AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support
AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=
AAA/AUTHOR/CMD (2846421758): found list "default"
AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)
AAA/AUTHOR/TAC+: (2846421758): user=switchuser
AAA/AUTHOR/TAC+: (2846421758): send AV service=shell
AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show
AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support
AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=
TAC+: Using default tacacs server-group "tacacs+" list.
TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49
TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued
TAC+: (2846421758) AUTHOR/START processed
TAC+: (-1448545538): received author response status = FAIL
Make sure to modify the original ACS Shell Command Authorization...
deny tech-support instead of deny tech.
04-13-2009 02:54 PM
Does it fail too if you complete the argument?
command=show
argument=tech-support
04-14-2009 05:37 AM
Do you see any hits on acs failed attempts when show tech command fails?
Also check debug aaa authorization output and see if the device is sending show tech to ACS for authorization. It could be due to bug where in some commands are not sent to tacacs server for authorization check.
Regards,
~JG
Do rate helpful posts
04-14-2009 10:17 AM
JG,
No hits on the failed attempts.
There is no output from the debug when issuing the show tech. However check out the attached xls which shows the actual commands that are being sent after issuing the show tech.
If I issue those commands separately (see attached notepad) they are in fact denied.
So this looks like a bug.
Regards
04-14-2009 12:15 PM
Do you have these authorization commands configured?
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1 key cisco123
Debug aaa author should display:
AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'
AAA/AUTHOR/CMD (2846421758): send AV service=shell
AAA/AUTHOR/CMD (2846421758): send AV cmd=show
AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support
AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=
AAA/AUTHOR/CMD (2846421758): found list "default"
AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)
AAA/AUTHOR/TAC+: (2846421758): user=switchuser
AAA/AUTHOR/TAC+: (2846421758): send AV service=shell
AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show
AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support
AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=
TAC+: Using default tacacs server-group "tacacs+" list.
TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49
TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued
TAC+: (2846421758) AUTHOR/START processed
TAC+: (-1448545538): received author response status = FAIL
Make sure to modify the original ACS Shell Command Authorization...
deny tech-support instead of deny tech.
04-14-2009 01:21 PM
BINGO!!! That was it. Thanks ansalaza.
I had the following commands:
aaa authorization exec default group TACACS_ADMIN local if-authenticated
aaa authorization commands 15 default group TACACS_ADMIN if-authenticated
but not
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
Can you elaborate a little more on what those commands do and also what do I need the if-authenticated keyword, I still am not quite sure what exactly that does or if it is needed.
Thanks again.
04-14-2009 01:26 PM
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.
Regards,
~JG
04-14-2009 01:45 PM
So are you saying that the if-authenticated keyword essentially bypasses command authorization and as long as a user is able to authenticate they can use all commands?
04-14-2009 01:57 PM
No, it provides extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.
04-15-2009 11:40 AM
jg -
I am testing and I think you have it wrong. What I find is that if the TACACS server becomes unavailable an authenticated user has access to any commands. See for yourself.
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Port='tty1' list='' service=CMD
02:16:01: AAA/AUTHOR/CMD: tty1 (3085690506) user='temp'
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV service=shell
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd=show
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=running-config
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): send AV cmd-arg=
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): found list "default"
02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Method=TACACS_ADMIN (tacacs+)
02:16:01: AAA/AUTHOR/TAC+: (3085690506): user=temp
02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV service=shell
02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd=show
02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=running-config
02:16:01: AAA/AUTHOR/TAC+: (3085690506): send AV cmd-arg=
02:16:11: AAA/AUTHOR (3085690506): Post authorization status = ERROR
02:16:11: tty1 AAA/AUTHOR/CMD (3085690506): Method=IF_AUTHEN
02:16:11: AAA/AUTHOR (3085690506): Post authorization status = PASS_ADD
04-15-2009 12:29 PM
Yes, you are correct. I messed up here. If we use "if-authenticated" the user would be allowed to access the requested function provided the user has been authenticated successfully.
Sorry for the confusion here and thanks for correcting me.
Regards,
~JG
04-15-2009 05:25 AM
There are three default command levels in IOS: 0, 1, and 15.
I beleive that "show tech-support" is not a level 15 command.
Check this Document ID: 13860 for a better explanation.
Hope this helps...
04-14-2009 01:14 PM
So it seems that the device is not sending show tech command to ACS for authorization check.
Show tech is not listed in tacacs admin logs and nor in debugs aaa authorization.
Most likely a bug in IOS.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide