Permission, restrict commands
Hello everyone, I have a problem, I use ACS 5.3 I have a set of two DeviceGroups (router & switch) and two set of users (G1, G2), here is my question, how can I do this:
G1: complete hace can access DeviceGroup1 and DeviceGrup2--> it works
Here's the tricky part for me...
G2: can 'read only' access to DeviceGroup1, but full access to DeviceGroup2
Anyone has asked this before, or is there any documents on how to do this.
Thank you very much!!
Hello Cesar-
You can certainly do GBA. When you create your authorization policies, you can be very flexible with how you grant and deny access to your devices. For your example, you can create rules that are based on:
1. the group identity of the end user (which may be both internal and external or AD)
2 type devices (switches, routers, etc.)
3. the location of the device (A Campus, Campus B, etc.)
Thus, for example, if the user is in the Group of network admin, then he or she will have full access without worrying about the location/type of device (1 screenshot) but if the user is Let's say a "switch admin", then that user will have full access to toggle (2nd screenshot), but only read only access routers (screenshot 3)
I hope that makes sense!
Thanks for the note!
Tags: Cisco Security
Similar Questions
-
Problem with shell command authorization
I came across this issue with ACS 3.1 and 3.2 of the ACS
A shell command authorization set is created under the profile shared with the following components:
Unmatched orders: refuse
Permit of unmatched Args: UNCHECKED
The order authorized is 'show' with the Arg "worm permit", "allow the interface" and "allowed to run.
This permission set is then applied to the group, under the option "Assign a Shell command authorization on any device on the network."
Select this group option is set to 'Max privilege for any customer of AAA, level 15.
This configuration is then tested against two IOS switches, with orders from aaa as follows:
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
The problem I have is that when a user who is part of this group connects, it can issue commands such as see the worm, see the race and show int just as I would expect. Any command that does not begin with a show... is denied. However, other show commands that do not appear in the arguments of will work, so that some don't. For example, "show arp" and "vlan" worked, while "show accountants ' and 'buffer' does not. What Miss me?
commands that work without explicitly set them are of privilege more low level 15... for example; "show arp" is a command of Priv-1, so it is execuatbel without permission of command as you do not permission to order for private-1.
Router > sh priv
Current privilege level is 1
Router >
Router >
Router > show arp
Protocol of age (min) address Addr Type Interface equipment
Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0
Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0
Router >
Router >
-
ACS - configure the authorization of shell commands to work under the configuration mode (conf t)
Hello world
I'm trying to set up a shell commnds set orders (including t conf mode) will be allowed, with the exception of administrative commands, such as writing, copy, admin, format etc.
He worked for the commands in privileged mode (most) (such as writing and copy), but did not order t conf mode. It is important to prevent users to perform the ' write for the "and" copy run start "commands, for example.
Here is the entry in the series of command shell (Partial_access) approval:
Unmatched orders: permit
List of commands:
Admin
copy
delete
do
format
To write
(Relevant) group settings:
V - shell (exec)
Privilege level of V - 15
Shell command authorization set
Assign permission to command Shell Set to any device network - Partial_access (group name)
I use CiscoSecure ACS version 4.2 (0)
Thank you
Lior
Hi Lior,
Please make sure you typed in the AAA client, the following commands: -.
AAA authorization config-commands
Thanks for posting your AAA client configuration via "run sh |" I have aaa "and if possible your configuration of privilege"
HTH
-
Help ACS shell command authorization
Hello
I wanted to only allow users to use the command interface. But when I have enabled terminal config of ACS shell command, all commands are allowed. How can I limited users having only permission for command interfaces?
Thank you
Two things may be wrong
(1) you do not have the following command on your AAA Client:
AAA authorization config-commands
(2) you have clicked on the 'unmatched orders' = allowed radio option in ACS, take a look on:
Concerning
Farrukh
-
Unable to send scan scanning HP outputs to any destination
Hello
I'm having touble generation out of scanned (in any format) docs for scanning HP using commands to 'Save' or 'send '.
When I try and save the doc in pdf or tiff, I get an error "an error occurred recording of the file because it could not be written to. Check the properties of the file to ensure that it is not dead. " I write in my office who has no permission restrictions and I am writing to a new file, so file permissions not existing to worry.
When I try and "send" on an email to send, it seems to send him to do something with the operating system and think it7s made. But the process run just a robot empty Mac app and n & t launch an email.
Both these problems occurred only recently and I used HP Scan successfully several times in the past. But now it's useless!
Someone at - it ideas?
Thank you
Nick
Useful info:
HP Scan Version: 2.4.2 (3)
Hardware: iMac 27 inches, end of 2009
OPERATING SYSTEM: OS X 10.9.2
anything else needed it would help?
Hi everyone - from the display, I had another go on discussion messages and discovered that, in the environment of the Mavericks, I should just use the capture inside the preview feature.
I used which and that you imported the scan successfully.
While I have not solved the problem with HP SCan, this suggests that the program is largely redundant.
Nick
-
Have been able to restrict the access to certain interfaces by permission of command, but when I try to allow access to the closing or no arguments "unknown command" stop ACS report in newspapers and the auth command fails. If it's just a mistake with the syntax of the reports 'order' newspaper denied so I don't think that's the problem. I am adding some argument to the correct command, for example:
Ethernet-> allowed stop
Any suggestions?
Hello
That's what you set under the shell command authorization
Unmatched command > permit unmatched arg
Allowed non - stop
stop - allowed
NOTE: Do not check permit unmatched args for above args.
HTH
Concerning
JK
-
I'm setting up ACS 4.1 and I run in a permission on a PIX firewall problemw ith order. After all the configs on the PIX and the establishment of the Group and the device on the ACS 4.1 Server I am able to connect to the PIX with my name of user and password windows. Once I have, I am able to switch mode enable (with the enable password), but once I'm in enable mode I can't type any command... I have the permission of command failed. I have check the ACS server and I see myself sucesfully connect in the newspapers, and then in the newspapers of the failure, I see this:
2008-04-13 09:11:08 author doesn't have a group of enable_15 default 0.0.0.0 (default)... Unknown user...
Why would he try to authenticate enable_15?
What part of the config on the acs Server I'm missing?
Also... If I add GBA internal user named enable_15 and add to the group, everything works fine... but I don't think that I would have to do.
In Pix operate permission to order you must configure authentication to activate it.
Then make sure you have this command in pix
Console to enable AAA authentication RADIUS LOCAL
Now, it should work fine.
Kind regards
~ JG
Note the useful messages
-
ACS read only access to devices
We are using ACS ver 4.2 and trying to setup users with limited access to our switches and routers. Here's what we did:
(1) created a user in ACS
(2) create Shell permission Set - ReadOnly command
Unmatched orders - deny
Commands added
Show
output
* This should limit the user to show command and exit only (correct)?
3) established a group - support with the following parameters of GANYMEDE.
Shell (exec) is checked
Privilege level is check with 15 as the assigned level
Assign permission to command Shell Set for any network - selected device
ReadOnly - set current shell command authorization
When the user connects to the router/switch, it seems that he has full access. It can enter the enable config terminal command command. Everything we want it to be able to do is to issue the command show.
Any help would be appreciated.
Please refer to this document
and compare the config as you well say ACS config looks OK on the switch/router, you must also do the following command
aaa authorization config-commands aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local
-
Cisco ACS 4.2 providing display orders only
I am trying to create a user so that I can give him only to run see command nothing else.
(1) created a user in ACS
(2) create Shell permission Set - ReadOnly command
Unmatched orders - deny
Commands added
Show
output
3) established a group - support with the following parameters of GANYMEDE.
Shell (exec) is checked
Privilege level is check with 15 as the assigned level
Assign permission to command Shell Set for any network - selected device
ReadOnly - set current shell command authorization
I set up on my router
AAA authorization config-commands
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
But still the user can run config t and other commands. Someone help me how to solve this problem
Hello
I'm trying to figure out what might be the case. That's why ask you the question.
Which option is checked the
Configuration of a Shell command authorization set for a user
is this Group?
Configuration seems fine for me. Just for a configuration can more you please check whether the configuration is based on the link:
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Browser blackBerry Smartphones error message: u23 MDS Service not available
Hi all!
I have a problem that is driving me crazy. The facts:
I have a BB 9780 working with my companies BES which shows this message. Imposible to get any URL with it. Another application that requires this type of access cards does not either, even if the GPS can give propper place. It seems then must be associated browser.
E-mail works perfectly.
Another BB [8910] have no problem in my BES. Just this one.
Already wiped and reactiveated... nothing changes.
Any idea? Each of them will be welcome.
I would ask my IT support team... but... I am the COMPUTER team
Thank you!
Enrique.
It's strange - as you write you have than one 9780 device that doesn't work do not give problem MDS, and others are functioning normally. This may mean that some problem with SB.
Possible so maybe two question here.
1 user on BES some problem - try to re - create (as usual with the COMPUTER policy and permission restriction)
2 problem can in device - try to wipe by BBSAK and first do "Factory reset" then "Wipe Device. then re - load a newer OS to the device. catering to the device only need information! AddBook, Messages, SMS, but no way to remove the system configuration and Options
Maybe he is helped
Also, I found a suggestion to re-insall Service SDM http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB25047
-
Looking for sample configuration (failed authorization of the order)
I have problems Ganymede + work properly with ACS5.1 and a switch simple catalyst 3750.
I can authenticate with AAA, but I can't get a single command to work once I am 'failed command authorization"even on"enable ".
Can someone point me to a resource that will guide me in the process?
Thank you
You probably have permission to order enabled on your switch and access the GBA policy is not allowed commands. A way around this is to disable permission to command on the device or allow all the commands in your command under your access policy sets.
Check these settings and do not forget that the 'customize' command will help activate the rules or the permissions if you have trouble finding them.
Here is the guide of the user to ACS 5.2 - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html
Thank you
Tarik
-
Windows 10 installed without permission, I reload Win 7, now I get constant reboot commands.
* Original title: Constant reboot command
MicroSoft, without my permission, loaded win 10, I followed the instructions to remove and reload Win 7, now I get constant reboot commands.
Hello
According to the description, I understand that you lowered the score of 10 windows and now face problems with your Windows 7 computer.
I would like to know some information.
You receive an error code or error message?
This restart commands you talk too much?
What is the current status of your computer you can start on the computer?
First of all I suggest you to disconnect all external devices such as USB printers, USB Hubs, etc.
I suggest try to start the computer in safe mode and check, please see Microsoft article and check out them below if it can help.
Alternatively, you can help Microsoft Article given below to perform the verification and startup repair.
Hope this information helps. Please let us know if you need any other help with Windows in the future. We will be happy to help you.
-
How to restrict the running command prompt?
How to restrict the running command prompt?
I already know the method: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System DisableCMD: 2
but, but, it is possible to change reactivate cmd used much the system tool software
So I want to deny the change of registry value by the software used, I changed all permissions to the registry [System] refusal keys with my account.
but after a modified registry key permissions denied, disableCmd was inactivated more.
It is impossible that the two parameter [disablecmd: dword = 2] and [{System} lock keys: administrator of the deny all permissions in my account]?
This issue is beyond the scope of this site which is for the consumer to related issues.To ensure that you get a proper answer, ask either on the Technet site, if it is a type of Pro problem, or MSDN if it's related to the developer -
Restriction reformatting Mac - command-do not work
Hello! A friend of mine gave me an IMac refurbished (2008) from his place of work, and I'm desperately trying to reformat since there are some problems with the audio and the internet. Unfortunately the computer does not allow me to go into the menu to reset when I restart and it ignores completely any keyboard (command-R) input and it restarts normally as I never pressed a button. Can someone help me please?
You have posted this in the wrong forum, this is the forum Pages and AFAIK r command does nothing when starting and I have much doubt, you need to reinstall the system, except if you change yourself to be the admin. Here again, you have other ways to change details and log. OSX is not Windows, you do not what you do on Windows. Determine what the real problem is before trying what is essentially Voodoo.
You have the DVD to reinstall the system, assuming that there is a DVD player? In this case, you put in and reboot holding down the key 'c' (for the CD) to start with.
Otherwise, install a new OS on an external hard drive with the Setup file and resart off th external hard drive by holding down the option key when the computer reboots and choosing this drive.
Peter
-
Suddenly received a message refusing permission to view a link hyper in outlook Office 2007. How to grant permission to access the link, while in Outlook 2007
Is that what you are looking for?
You receive an error message when you click a hyperlink in Outlook
http://support.Microsoft.com/kb/310049
Maybe you are looking for
-
Why should I keep accessing my homepage
I put my log in to remember me, but whenever I close the program and restart, I need to log in again.
-
Latest Firefox does not display google adds on my pages.
Www.alternativa.hr do not show Google Ads and Facebook and Google extensions + does not work as well... On other browsers and older versions of Firefox, not such a problem - everything works fine.Can you help me here?
-
Satellite A100 - PSAA5U SP2022 sometimes turns off randomly
Hello I have a toshiba Satellite A100-SP2022 PSAA5U-02G00G portable satellite and sometimes turns off the coast at random.The battery and charger are OK. I saw a bulletin saying a word on an update of the BIOS for A100 series for that matter. The pro
-
Satellite A110-273 - disorders to the HD 320
Hello I am the owner of a Toshiba Satellite A110-273 I've had for three years.During this period I have updated to 3 GB of RAM, 250 GB HD, Bios ver 2 and Win 7.The system worked properly, but now the HD is broken. Now, I tried to install a hard drive
-
Installation of KB2742596 ends but is not installed and repeat applications every day
Each held one application to install an update is necessary KB2742596. Apparently installed but not shown in the lists of product for other requests are made. Fix, that it has not solved the problem