Permission of AAA with ACS Shell-games

Hi all

I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

I have difficulty getting permission to AAA to work properly with ACS.

I am able to configure ACS fine users and assign them shell and private level 7.

I then install a set of Shell Auth and enter the issuance of orders and configure.

When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

to access global configuration mode by typing in conf (or set up) terminal or t.

If I type con? It is the only command connect, configure is never an option...

The only way I can get this to work is by entering the command:

privilege exec level 7 Configure terminal

I thought the whole purpose of the ACS Shell Set to provide this information to the router?

It's frustrating

The ACS server is set up with the Shell Set named Level_7 order authorization

It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

The "unmatched Args allowed" is also selected.

See an extract of my IOS config below:

AAA new-model

!

!

AAA group Ganymede Server + ACS

Server 10.90.0.11

!

AAA authentication login default group local ACS

AAA authorization exec default group ACS

AAA authorization commands 7 by default local ACS group

!

Cisco radius-server host 10.90.0.11 keys

!

!

privilege exec level 7 Configure terminal

privilege exec level 7 set up

privilege exec level 7 show running-config

privileges exec level 7 show

!

Hope you can help me with this one...

PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!

Hello

So now,

You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

That's what I suggest that orders back to a normal level.

Provided below are the steps to set up the shell command authorization:

-------------------------------------------

Follow these steps on the router:

-------------------------------------------

! - is the desired username

! - is the password

! create - us a local user name and password

! - in case we are not able to get authenticated via

! - our Ganymede server +. To provide a backdoor.

password username 15 privilege

! - To apply the aaa on the router model

AAA new-model

! - Following command is to specify our ACS

! - location of the server, where is the

! - ip address of the ACS server. And

! - is the key which must be the same during the FAC and the router.

radius-server host key

! - To get the authentication of users through ACS, when they try to log - in

! - If our router is unable to join the ACS, we will use

! - our local user name & the password that we created above. This

! - we prevent locking.

AAA authentication login default group Ganymede + local

AAA authorization exec default group Ganymede + local

AAA authorization config-commands

AAA authorization commands 0 default group Ganymede + local

AAA authorization commands 1 default group Ganymede + local

AAA authorization commands 15 default group Ganymede + local

! - Sequence of commands are for posting to the activity of the user.

! - When the user connects to the device.

AAA accounting exec default start-stop Ganymede group.

AAA accounting system default start-stop Ganymede group.

orders accounting AAA 0 arrhythmic default group Ganymede +.

orders accounting AAA 1 by default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

--------------------

ACS configuration

--------------------

[1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

Provide any name at all.

provide sufficient description (if necessary)

(a) for full administrative access set.

In the unmatched controls, select 'allow '.

(b) for all access limited.

In the unmatched controls, select "decline."

And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

For example: If we want the user to only have access to the following commads:

opening of session

Logout

output

Enable

Disable

Show

Then, the configuration should be:

-----------------------------------------------

-Allowed unparalleled Args.

-----------------------------------------------

connection permit

permit disconnection

exit permits

Select the permit

disable the permit

license terminal configuration

ethernet interface license

permits 0

to see the running-config

------------------------------------------------

in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

[2] press 'submit '.

[3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.

(more...)

Tags: Cisco Security

Similar Questions

  • Integration of ASA with ACS

    Hi all

    I try to incorporate some ASA (8,6) with ACS (5,7), here is the configuration of the SAA.

    SH run | in aaa
    RADIUS Protocol RADIUS AAA server
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + (management) host 10.243.14.24
    GANYMEDE + LOCAL console for AAA of http authentication
    authentication AAA ssh console GANYMEDE + LOCAL
    Console telnet authentication GANYMEDE + LOCAL AAA
    AAA accounting console GANYMEDE + ssh
    AAA accounting command 15 GANYMEDE privilege +.
    Console telnet accounting AAA GANYMEDE +.
    AAA authorization exec-authentication server
    AAA authorization GANYMEDE + loCAL command

    The problem is that I can get connected to ASA, but I can't type all commands in the CLI, I get the error message "failure of command approval.

    I have the same sets of commands and the shell profiles created for switches and it works perfectly.

    This is the behavior of ACS journals

    1. once I am having authenticated, I can see the logs in ACS with my username
    2 but when I type any commnds, is put down my permission and I see in the newspapers of the authorization of the CSA that this username is "enable_15".

    Can someone help me identify what the problem is

    Thank you
    Reverchon

    This happens when we have control permission enabled on ASA and try to run any command level 15 on SAA. To correct this problem you must check enable authentication of a user against GBA / GANYMEDE.

    AAA authentication enable console LOCAL + GANYMEDE

    After above listed licensing order, ASA will start to check the enable password against ACS/Ganymede and you use Ganymede activate the password that we can put on by user.

    ~ Jousset

  • Help ACS shell command authorization

    Hello

    I wanted to only allow users to use the command interface. But when I have enabled terminal config of ACS shell command, all commands are allowed. How can I limited users having only permission for command interfaces?

    Thank you

    Two things may be wrong

    (1) you do not have the following command on your AAA Client:

    AAA authorization config-commands

    (2) you have clicked on the 'unmatched orders' = allowed radio option in ACS, take a look on:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

    Concerning

    Farrukh

  • WLC 4402 impossible to authenticate correctly with ACS 5.2

    For some reason, I can't WLC to authenticate correctly with ACS 5.2. It's very strange in the sense that when I checked the log. ACS authenticates and authorizes the WLC 4402, but I can't log on the WLC. login screen appears, if I typed the username that he jumped

    Controller of >

    user:

    password:

    No matter what I typed (internal or external users), nothing seems to work.

    It comes to my frustration, I have no problem with authentication of routers and switches except WLC 4402.

    Hello

    Please delete privilege on the ACS level settings.

    Elements of strategy > authorization and permissions > peripheral Administration > Shell profiles > common tasks

    By default the privilege - do not use.

    Maximum privilege - not in use

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages

  • Need help creating a shell game

    I use Flash 8 that I haven't used since ' 06, so I don't know how to do much.

    I am trying to create a shell game. I have a chart of the shell I want to load to the scene. Because now I will load 3 of them, but I want it to be variable so I can add shells more if I want to.

    So I guess I have 3 questions:

    1. how to dynamically load the graph?

    2 is it better to use them as graphics or should they be a movieclip?

    3. how to move or mix the shells? I mean, what is the best way to move the shells because I need 2 shells move at the same time.

    Thanks for any help,

    Joe

    Place the image into a movieclip in the library and give it a link ID (right-click of the mc in the library and select link).  Then, you can use the attachMovie() function to dynamically load the shell of movieclip instances.

    For mve shells you can use the built-in Tween class, or a third party to the tweening class as TweenLite/TweenMax.  You can also use an onEnterFrame approach.  If you need help with these, try Google search using terms like "Tween AS2 tutorial" or «AS2 onEnterFrame tutorial»

  • Why can't sign in or register with the Facebook game Zanga?

    Why can't I sign in the Facebook game Zanga? We let me play the game, but does not give me the "cash" reward for all the research I've finished it, they just give me "of the room" I would that this big problem was resolved please, it doesn't happen with any other game I play, thanks.

    Why can't I sign in the Facebook game Zanga? We let me play the game, but does not give me the "cash" reward for all the research I've finished it, they just give me "of the room" I would that this big problem was resolved please, it doesn't happen with any other game I play, thanks.

    Hello

    Please use the following Web site links to Facebook help.

    Facebook Help Center | Facebook:

    http://www.Facebook.com/help/

    Facebook Support Forums:

    http://www.thefacebookforum.NET/forum

    Concerning

  • problem with running my games more old and newish on Windows 7. __

    Why is there such a probllem with my older games running and more newish on Windows 7.
    If I knew that I would probably be stuck with vista or XP

    Yes, probably you if you use the computer half the time for older games. It is like buying a PS3 with the emulator software and expects all the old games to work, just not going not to happen.

    All games in particular does not? Usually running the installer as administrator (right click, run as admin) works for most things and then launch the game itself in compatibility mode sometimes fixes things.

  • How 'old' games, files with the extension *.gam

    How 'old' games, files with the extension *.gam?

    I am trying to find and run style old text adventure games.  I downloaded "ccr.gam" but it has nothing related to this extension and I can't find what I need.  HELP please.

    Octavmandru

    Depending on the platform, so that the game was up, there may be an available emulator that will allow you to run them. Looking for the name of the platform and "emulator" can give results. If they are DOS based games, DOSBox is an emulator like this.

  • Why xbox 360 controller does not work with all pc games

    Why xbox 360 controller does not work with all pc games

    Ask in an xbox forum.

  • I have a problem with a Gamehouse game. Talked to them and they say that it is a problem of compatiablity with Vista.

    I have a problem with a Gamehouse game

    Talked to them and they say that it is a problem of compatiablity with Vista. It's Super Jigsaw Puzzle and I the hours worked in several puzzles and now when I try to go inside he closes Super Puzzle. This is frustinating because I've uninstalled and reinstalled the program 3 times, it does not help. Is that what I can do to fix this problem in Vista? I have all the updates except IE 8.  We like IE7, but all the other updates sent we have.

    If it is a program downloaded and installed, read this:

    http://www.Microsoft.com/Windows/compatibility/Windows-Vista/default.aspx

    Windows Vista Compatibility Center

    First thing to do is to check its Vista compatibility at the link above, and if not to see what patches/solutions are available from its manufacturer...

    http://www.howtogeek.com/HOWTO/Windows-Vista/using-Windows-Vista-compatibility-mode/

    If this is not Vista compatible, read the info on the link above.
    It works for some programs, but not all.

    This applies to software programs, NOT hardware drivers.

    If it's Vista compatible > uninstall it > Re-download/save to your desktop > right click on setup.exe O run as admin.

    See you soon.

    Mick Murphy - Microsoft partner

  • 6513 isn't intergrating with ACS

    Hello

    I have a problem with one of the devices, switch 6513. the acs server is directly connected to the switch inside the fwsm.

    I am able to ping the MSFC and FWSM ACS server, but it does not take the ACS. I have other 6513 and many other switches and router integrated normally with ACS.

    Please I need help.

    Kind regards

    Incase you are using Ganymede and deliver "Ganymede source control interface ip.

    User interface that is listed in the acs network---> switch---> IP address configuration

    Switch must use this IP address as the source for the packages of Ganymede

    Kind regards

    ~ JG

    Note the useful messages

  • Admin Auth LMS with ACS 5.3

    Hey people, I need to integrate LMS4 with ACS 5.x for LMS user auth. 2 roles are necessary, Admin and monitor. Y at - it all Documentation, example Configuration, or other useful information? Any help welcome.

    Best regards, Michael

    Hi Michael,

    Perhaps these threads will give you enough details:

    https://supportforums.Cisco.com/message/3484567

    Best regards

    André

  • Cisco 1121 unit installed with ACS 4.2 SE version

    Hi all

    Sorry, we could install version to 4.2 on the Cisco 1121 device acs?

    Could we use 1120 ACS 4.2 image DVD to install on 1121?

    Or any workaround?

    THX!

    Calvin Su

    Hi Calvin,

    Unfortunately, 1121 hardware doesn't support version 4.2.0 acs so downgrade is not an option for 1121. It can only be used with ACS 5.x

    Kind regards

    Jousset

    The rate of useful messages-

  • Authentication EAP - TLS with ACS 5.2

    Hi all

    I have question on EAP - TLS with ACS 5.2.

    If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?

    Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?

    If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?

    And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.

    And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?

    I hope you guys can help with that. Thank you.

    Hope this will answer most of your questions:

    Client certificate or user

    http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T10

    Computer certificate

    http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T15

    In the case of EAP - TLS we have the certificate of computer and user installed on the machines.

    Kind regards

    Jousset

    The rate of useful messages-

  • How to configure Windows 7 to interact with utube and games

    My computer is connected to the Internet with a cable modem. It's fast (12 GB) but keeps crashing, Win 7 64 bit pro, always points to my network is not the correct value. I don't understand networks and want to interact with utube and games that my son plays. Why it is so difficult for some people. Sometimes he will lose the connection and I'll reset the modem and restart the computer. Once that does'nt work and I restore to an earlier date that works for most but on occasion it does'nt. I always clean the file temp leaving important cookies according to me. I check the amount of disk fragmintation. I have accumulated a schedualed check disk at startup. I use the Action Center to check the Mechs of connections, the home group and others. It's hard for me to understand, and I really wish I did, but right now, it's hard for me to kiss. I don't want a homegroup, I don't want a network. I finished downloading so many things about cadre4 net for 64-bit and stuff with server attachment. I wish that all this could be simple. I use to think I was smart and pretty intuative. No not so much these days. Also, I got time warner involeded supplier to the point of their coming, then finally say it was my setup, not the implementation.  Thank you for reading this and any help would be wonderful.  Thanks and best wishes for the new year.

    Hello

    Welcome to the community of Microsoft and thanks for posting the question.

    I suggest you perform the steps described in the article:

    Wireless and wired network problems
     
     
    See also:
     
    Optimize Windows 7 for better performance
     
     
    Hope this information helps. Please reply back with the State so that we can help you.

Maybe you are looking for