Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1401
Views
0
Helpful
4
Replies

ACS 5.3 and Command Auth

Go to solution
Patrick Connor
Level 1
Level 1

‎09-20-2012 09:24 AM - edited ‎03-10-2019 07:34 PM

I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 

I still get no joy.   Also Cisco changed the GUI and the way command sets are built

(http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )

Any help would be appreciated

Patrick Connor

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Patrick Connor

‎09-20-2012 11:03 AM

Patrick,

Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).

https://supportforums.cisco.com/docs/DOC-26768

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-20-2012 09:28 AM

Patrick,

Can you please post a screenshot of the authorization rule, and the command set that you configured?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Patrick Connor
Level 1
Level 1
In response to Tarik Admani

‎09-20-2012 11:01 AM

Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.

I created 2 command sets

Pri-15  has only the permit all command not in the table below check box checked

Pri-1  has a single permit "show"  with no arguments

the Auth rule has 2 rules

rule 1  identity group "network Admin"  any any any pri-15

rule 2 identity group "network monitor" any any any pri-1

service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98

the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 

So it looks like the command set is not being recognized.  but I cannot see why?

Thanks,

Pat 

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Patrick Connor

‎09-20-2012 11:03 AM

Patrick,

Can you check this doc to see if the command set option is enabled? It is hidden by default (that is what i wanted to confirm).

https://supportforums.cisco.com/docs/DOC-26768

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Patrick Connor
Level 1
Level 1
In response to Tarik Admani

‎09-20-2012 11:08 AM

It was not enabled.  Thank you very much for the assistance.  I have added the "commnad Set" to the customized Results and will test.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents