Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2855
Views
5
Helpful
3
Replies

acs 5.2 command sets permit all commands except...

eugene.tsuno
Level 1
Level 1

‎03-04-2011 02:54 PM - edited ‎03-10-2019 05:53 PM

I have everything working on a new 5.2 ACS but:

I can only make a command set that permits things and denies all.

I thought with the check box "                                                             Permit any command that is not in the table below" one

could allow all and specifically deny commands.

I could add for instance:

Check "                                                             Permit any command that is not in the table below"

deny conf

deny set

and that would allow the user to do all commands except for conf and set.  But it

doesn't seem to adminstratively block it, it allows them to still "conf" for instance.

Yet if I :

Uncheck "                                                             Permit any command that is not in the table below"

and say

permit show

permit exit

...

Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.

I know I am in the right command set because the changes I make are reflected immediately.

Can someone test the "Permit any command that is not in the table below' and tell me if it works?  I can

make it work with the unchecked box, sure, but it would be nice to get it to work.

Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎03-06-2011 09:33 PM

If it is command in config mode, you might need to enable "authorization config-commands" on your Cisco router/switch.

If I remember correctly, this command is disabled by default, so the command in config mode won't be sent to ACS for authorization.

eugene.tsuno
Level 1
Level 1

‎03-07-2011 10:46 AM

The example says I should be able to put that at the end.  However when I paste it

in, it always goes to the top:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 groups group tacacs+ none

I don't know if that is the problem, but right now it exhibits the same

behaviour, that the table should be allowing things which should be

blocked.

Is the a trick to get it to go after "aaa authorization commands" or does it matter?

0 Helpful

eugene.tsuno
Level 1
Level 1
In response to eugene.tsuno

‎03-08-2011 08:52 AM

Okay figured it out.

I was using the short name like "conf" for configure.  Except the parser obviously wants

the whole name "configure", because that is what is returned back in tacacs.

That makes sense, although a note in the docs say how the commands are matched or

if regular expressions can be used would be nice.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents