Solved: ACS 5.2 command set authorization

vashdevt · ‎02-09-2011

Hi

I am facing problem related to command set authorization. We want to restrict only “show running-config” to the one group called netadmin, all other commands including “show *” should be denied.

I created on user (netadmin) on local and also created on identity group (netadmin) and joined the user to netadmin identity group.

I configured the shell level privilege 15 and configured the command set authorization and applied on identity group through.

Command setis as follow.

-----------------

Grant command argument

Permit show running-config

----------------------------

Problem is netadmin user is able to run all show command, we want him to run only one command “show running-config”.

He is not able to run “config t” and giving message “authorization failed”

Regards,

Vashdev

Jatin Katyal · ‎02-09-2011

Before you troubleshoot this issue make sure that you've standard command authorization on the switch.

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

You are missing the below listed command

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local

After that try again and see what you see in ACS failed attempts?


Rgds, Jatin


Do rate helpful posts~

~Jatin

View solution in original post

Jatin Katyal · ‎02-09-2011

Command set is bit incorrect. It should look like;

Grant Command Argument

Show permit running-config

You may look at the below listed example

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Rgds, Jatin

Do rate helpful posts~

~Jatin

vashdevt · ‎02-09-2011

I already tried permit word inside the argument, followed the same document which you mentioned but it’s not working.

Jatin Katyal · ‎02-09-2011

What do you see in the failed attempts?

Also, paste the output of the command, show run | in aaa

run th debugs on the device

debug tacacs

debug aaa authen

debug aaa author

Rgds, Jatin

Do rate helpful posts-~

~Jatin

vashdevt · ‎02-09-2011

Hi

Here is the AAA configuration of switch. now i don't have the access to switch to get the debug. as soon as i get the access i will collect the debug and post it.

aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec CONSOLE if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

Jatin Katyal · ‎02-09-2011

Before you troubleshoot this issue make sure that you've standard command authorization on the switch.

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

You are missing the below listed command

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local

After that try again and see what you see in ACS failed attempts?


Rgds, Jatin


Do rate helpful posts~

~Jatin

vashdevt · ‎02-09-2011

Hi Jatin,

After applying the suggested aaa configuration on switch it working fine.

thx for your support

Regards,

Vashdev