ACS - configure the authorization of shell commands to work under the configuration mode (conf t)

Similar Questions

• Help ACS shell command authorization

  Hello

  I wanted to only allow users to use the command interface. But when I have enabled terminal config of ACS shell command, all commands are allowed. How can I limited users having only permission for command interfaces?

  Thank you

  Two things may be wrong

  (1) you do not have the following command on your AAA Client:

  AAA authorization config-commands

  (2) you have clicked on the 'unmatched orders' = allowed radio option in ACS, take a look on:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

  Concerning

  Farrukh

• Problem with shell command authorization

  I came across this issue with ACS 3.1 and 3.2 of the ACS

  A shell command authorization set is created under the profile shared with the following components:

  Unmatched orders: refuse

  Permit of unmatched Args: UNCHECKED

  The order authorized is 'show' with the Arg "worm permit", "allow the interface" and "allowed to run.

  This permission set is then applied to the group, under the option "Assign a Shell command authorization on any device on the network."

  Select this group option is set to 'Max privilege for any customer of AAA, level 15.

  This configuration is then tested against two IOS switches, with orders from aaa as follows:

  AAA new-model

  AAA authentication login default group Ganymede + local

  the AAA authentication enable default group Ganymede + activate

  AAA authorization exec default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  The problem I have is that when a user who is part of this group connects, it can issue commands such as see the worm, see the race and show int just as I would expect. Any command that does not begin with a show... is denied. However, other show commands that do not appear in the arguments of will work, so that some don't. For example, "show arp" and "vlan" worked, while "show accountants ' and 'buffer' does not. What Miss me?

  commands that work without explicitly set them are of privilege more low level 15... for example; "show arp" is a command of Priv-1, so it is execuatbel without permission of command as you do not permission to order for private-1.

  Router > sh priv

  Current privilege level is 1

  Router >

  Router >

  Router > show arp

  Protocol of age (min) address Addr Type Interface equipment

  Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0

  Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0

  Router >

  Router >

• Shell command authorization

  Hi all

  I'm having a problem with the Shell command authorization. I have a user that I just want to be able to display the configuration of installation, it is for the auto config to archives on an hourly basis.

  I have configuered the device with the following orders of aaa:

  AAA new-model

  AAA group Ganymede Server + ACS

  AAA authentication login default group ACS

  /NOAUTH AAA authentication login no

  AAA authorization config-commands

  AAA authorization exec default group Ganymede + group ACS

  /NOAUTH AAA authorization exec no

  AAA authorization commands 15 default ACS group

  AAA authorization commands 15 /NOAUTH no

  AAA accounting command 15 arrhythmic default group ACS

  The static account I have set up ok logs and can show config etc. Access to the conf t is disabled, which is good, but for some reason, it can run any command show rather than just who is this all I welcomed in the Shell command authorization.

  Unmatched command is defined for refuse and allowed unparalleled arguments are not checked.

  ACS is 3.3 2 and switch I tested running 12.1 (9) EA1

  Any ideas?

  Most of 'show' command are level 1 controls. You can check this by logging in as a normal user, issue a private "sho" to make sure that you are at level 1, and then type 'sho ip road', "sho ver", etc., you will see that all work fine.

  Your AAA commands say only the switch to allow level 15 commands, so when you do a "sho ver" or similar this order will not be sent offshore to the ACS server for authorization.

  If you add the following:

  AAA authorization commands 1 default ACS group

  so, what do you have to fix, but be careful because it is easy to lock you out of power mode enable (add 'enable' in your command set too).

  You should also noticed all those who 'show' commands were not their statement in detail either, because you have enabled also only accounting for level 15 commands.

• Authorization of shell of ACS

  Is it possible to configure the authorization of the shell when the privilege level has something less than 15

  What I do now is configure level 15 access and limiting the commands through shell games. When I try to assign any other privilege level, it doesn't seem to work.

  HTH

  Narayan

  Narayan,

  Let's say that assign you a privilege level from 10 to the user on the AAA server. The user logs on the device at the level 10 but "sh ip int br" and "sh int" are level 15 commands, so may not be used.

  So what we need to do is to reduce the level of privilege "sh ip int br" and 'sh int' orders on the device itself to level 10 using 'focus on' command in global configuration mode.

  After doing this, only "sh ip int br" and 'sh int' orders will be available at level 10 and any other privilege 15 orders.

  Now also if you want the group to only run "sh ip int br" and group b to run "sh int" only then you can seek approval to level 10.

  Hope this helps

• How to activate 'Shell command authorization games '.

  Hello

  I use aaa on Ganymede to check the user to active directory ms.

  I set up a new "Set Shell command authorization" see the attachment for more details.

  But it does not work. So, I just want to check if the use of a command works or not.

  You can see in the file attached, I tried something with the command 'show '.

  But if I connect I am still able to use "view aaa servers" example, but in the 'show' commandbox I asked the agrument "refuse the aaa" inside.

  Why doesn't this work?

  Thanks for the help

  BB

  BB,

  Not sure why you want to do it this way. Trick here is to give all users a priv 15 and then set the permission command, defined according to your need.

  Overlooking priv 15 does not mean that the user will be able to run all the commands. You can set permission set and allow that you want specific orders, the user should be able to run.

  So pls rate this help

  Kind regards

  ~ JG

• App, opening a file via windows shell commands: "a device attached to the system does not work.

  Hello!

  I hope that someone here will be able to throw some lights on my question, if I post this is the wrong place please let me know because I was directed here (which forum? ). OK, I support and develop custom applications. An older application especially written in Delphi allows users to attached documents (pdf, jpg, txt, etc.) to the records of equipment in a data base. Later users can view these records of equipment and press a button to display the document.

  When the user presses the button to view the document, the application uses the folder variable to save the document to the temporary path and then asks windows via a shell command to open the file. The appeal of Delphi for windows used is the following:

  ShellExecute (GetDesktopWindow, 'open', PChar (TempFile), ",", SW_SHOWNORMAL);

  Normally this process works very well, we have had no problems so far. On a single computer (windows xp pro with Service Pack 3) belonging to a client, instead of opening the file, windows returns the system 31 error and the message ""a device attached to the system is not functioning. ". is displayed.

  * If I navigate to the location where the file is stored on the disk and try to open it, software adobe reader opens the file correctly.

  * I found some suggestions that the file extension is associated properly. PDF associated with Notepad, I changed, and the application could ask windows to open the file very well. Open the file from the location on the work of disc as well. Change the file for adobe and the problem persisted.

  * I reinstalled adobe reader software, but also a previous version of adobe and the problem persisted.

  * The application doesn't have any problem asking other files opened, only those associated with adobe reader on this same machine. The problem does not exist on other machines.

  That about sums up the problem. Any suggestion would be appreciated.

  Thank you

  Louis

  It was determined that the version of adobe reader was at fault.

• Problem of GANYMEDE ACS 4.2 NDG and shell permission sets

  Hi all

  I am trying to solve this problem without success so far. I have fresh GBA 4.2.15 patch 5 ACS installation and I am tryng to deploy to our environment. So I configured a 2960 S to be my test client and everything works well. Problem is when I try to create strategies to fine grains using groups of network devices and shell permission sets.

  I created called ReadOnly and FullAccess authorization of shell games. I also created NDG called FloorSwitches and added my 2960. I have 2 groups of users called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I have set up a FloorSwitchesFullAccess group and assign the set of permission controls Shell by NDG and then log in to the switch, all my orders are rejected as unauthorized.

  One thing I noticed, is that if I give the command shell permission set it to any device (in the settings of user group) works fine. Or if I create binding with DEFAULT NDG to the Group of users that works too. My conclusion is therefore that the ACS for some reason any does not associate my passage to correct group but is instead the DEFAULT group for some reason any.

  Someone at - it had the similar problem, or is there something I'm doing wrong? Is there another way to achieve such a thing without use of NDG?

  Thank you all...

  Please upgrade to patch 6, there is a bug in the patch 5 and you can see the release notes or the Readme for more information.

  Which is the user setting on while you test command authorization, do you have it set on the group setting?

  Thank you

  Tarik Admani

• Authentication of ACS in the VPN tunnel

  We want to enable the ACS authentication to connect to different routers (Cisco 881 s) we have obtained who are communicating with our WAN via VPN tunnels. We want to avoid using public IP of the router to communicate and pass information to user/password with the ACS server and rely on the IP of the server private instead. The problem is that external interfaces of the router connect to the Internet using public IP addresses and when the router wishes to communicate with the ACS server it will use its IP of the interface to the public and which will fail. We can ping on the server of course when we set the source to the internal LAN IP.

  The question is are there any way to have the router contact ACS through the VPN tunnel using a private IP address?

  config is used and tested with success on local equipment:

  AAA new-model

  RADIUS-server host 10.x.x.x single-connection key xxxxxx

  AAA authentication login Ganymede-local group local Ganymede

  AAA authorization commands x Ganymede-local group Ganymede + if authenticated

  AAA authorization exec Ganymede-local group Ganymede + authenticated if

  See the establishment of privileges exec level x

  line vty 0 4

  Ganymede-local authentication login

  authorization controls Ganymede-local x

  -ACS ping to the router (WAN via VPN connection) when using public IP address of the router as the source address:

  RT881 #ping 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  .....

  Success rate is 0% (0/5)

  -ACS ping to the router (WAN via VPN connection) when using IP private of the LAN as source address:

  RT881 #ping source 10.x.x.1 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  Packet sent with a source address of 10.x.x.1

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 72/72/76 ms

  Looking forward to your responses and suggestions.

  Thanks, M.

  Hey Maher,

  You can use the command 'Ganymede-source interface ip' or 'RADIUS source-interface ip' for your scenario.

  I hope this helps!

  Kind regards

  Assia

• ACS: checking the replication topology

  I currently have two productive of ACS upward and running with everything that I need. I need to activate multiple devices in a network of partners to use all the features of AAA already configured with my "local" network devices

  The problem, a direct link between the two areas of ACS or any other direct flow between two networks is prohibited. The solution as a network of intermediary which can host shared resources and is accessible from both sides.

  So if I'm not mistaken I should be able to replicate my local ACS network to an intermediate ACS and from there to my ACS in the network of partners. So before I put another device of ACS in the intermediate network I have a second opinion on my scheduled replication topology.

  I added a simple drawing of the scheduled replication topology.

  All tips are welcome, thanks for reading.

  Roble

  Hi Roble,

  Sorry for the delay.

  (3) correction

  ACS A---> partner B (on request)

  B ACS---> partner C (automatically triggered cascade) AAA - server has

  C ACS---> AAA-server B associate no (manual)

  AAA server: This is the name of the ACS in the AAA servers partners column.

  Kind regards

  ~ JG

• How to run a procedure ODI of a shell command?

  Hello
  
  Is it possible to perform the procedure ODI of a shell command? How?
  
  I would like to invoke the execution of the second another batch processing procedure, we have tips.
  
  Thank you.

  You can create the scenario of the ODI procedure and call this scenario using the startscen at the command prompt,
  before that make sure that you odiparams file is updated.

• HP CSI Shell has stopped working - cannot install the printer driver

  I just bought a printer LaserJet MFP M127fw Pro, but the installation of the pilot program still crashes. I tried 3 different modes of driver installation: the installation CD install HP Smart (USB) and download online, but I keep getting the same error.
  
  10-15 seconds after I start the driver installation, a pop-up Windows appears, advising me that:
  "HP CSI Shell has stopped working".
  
  I called HP customer care and they post in the computer section of the Support Forums.
  
  Does anyone have a solution to this problem?
  
  I have a HP Media Center PC with Windows 7 64 bit.
  
  

  Update:
  
  I tried the feature "Add a printer" windows default in Control Panel, and my printer is finally functional - only when used wireless. However, if I connect the USB cable from my printer, it will be recognized as a different printer and always unsuccessfully installed the drivers for it.
  
  If it works wirelessly, it is good enough for me.

• Change the sample DAQmx and Terminal configuration mode

  Hello

  I'm studying 'Timing and synchronization features of NOR-DAQmx' from the following link,.

  http://zone.NI.com/DevZone/CDA/tut/p/ID/4322

  Could someone tell me how to Figure 2, Terminal configuration entry in the part "DAQmx virtual channel creat? Shoud I double-click on the icon to change it? Or there is some way that I can show it in the block as the sample mode diagram in the DAQmx part?

  How can another question, in the DAQmx calendar part, I put "Continous Samples" here? It comes from the function palette? Thank you.

  Hi Oly,
  To make the configuration of senior year to enter the channel 'DAQmx create' you will need to create a constant or control over this VI either.  When you hover over a VI, as the VI "DAQmx Create Channel", you will notice that the dots appear around the edge of the square.  "" When you roll your mouse over these points, you mouse pointer will appear a coil of cable/wire how you can right click your mouse and select 'Create' constant ' or 'create' control '.  If you create a control, you have a user control in your front, where as if you create a constant, you will have a drop-down list in your block diagram.
   
  It goes the same for continuous samples, simply hover over the VI, right-click on the corresponding 'point' and select this option to create a constant.
   
  In case my instructions are unclear, that I have attached pictures of how to go about doing this, the first is to show 'points' I speak around the VI and the second picture shows the possibility to choose after you right-click on the point.
   
  Good programming!
  aNIta B
  Technical sales engineer
  National Instruments

• change the digital command mode, it is still the initial mode

  In panel.uir, I design a mode of control digital initional as INDICATOR, so I change the control mode to be HOT in my panel.c, but digital is always unacceptible.

  SetCtrlAttribute (systemp2, SEQUINTERVAL, ATTR_CTRL_MODE, VAL_HOT);
  SetCtrlAttribute (systemp2, RBINTERVAL, ATTR_CTRL_MODE, VAL_HOT);
  GetCtrlVal (systemp2, SEQUINTERVAL, &val);)
  GetCtrlVal (systemp2, RBINTERVAL, &rbl);)

  all the two values of val and rbl are nil.

  So how to change the mode indicator to be warm mode in the program?

  In addition, the SEQUINTERVAL is not in the form PANEL_CONTROLID required by the function, so unless it is a variable where you store the correct assessed, function might be unable to translate it into the correct control IDs. Again, return code of SetCtrlAttribute reading should evidence an error in the command. It goes the same for RBINTERVAL.

• "Messenger Service, or the Net send command not working only not on the service remote computerhe.

  Messenger Service, or the Net send command not working only not on the remote computer, despite the messenger service is started "it works only if I restart the service.
  operating system is windows xp
  service pack 3

  Hi Charbel,

  Have you done a recent software or hardware changes to the system?

  This problem occurs because the Messenger service is disabled. The Messenger service must run on the destination computer to activate the NET SEND command.

  Because the service is already started, and you must restart the service, you can try to stop the service, change the startup type to automatic and start the service. Check if it helps.

  Please refer to the article to define the service as automatic:

  Programs or services that use the alerts service or the Messenger service do not work as expected after you install Windows XP Service Pack 2

  For more information, see the article:

  The NET SEND command may not work correctly on a computer that is running Windows XP Service Pack 2

  Hope the helps of information.

  Let us know if you need help with Windows related issues. We will be happy to help you.