Specific shell - ACS command authorization / GANYMEDE + on 2900XL

Similar Questions

• ACS command authorization mode t conf report

  Hi, this is probably a quick, but I couldn't find a solution so far.

  We use authorization to order through ACS and are thus able to see (in the case of problems) which concluded the orders at that point on which device. But it doesn't work until someone goes into mode t conf. After that I get log entries in the ACS (Version 5). I can see all the orders and who entered the configuration mode, but nothing after that. Excerpt from the configuration:

  AAA new-model
  connection of AAA 5 authentication attempts
  enable AAA authentication login default group Ganymede + local line
  the AAA authentication enable default group Ganymede + activate
  AAA authorization exec default group Ganymede + local
  AAA authorization commands 1 default group Ganymede + local
  AAA authorization commands 15 default group Ganymede + local
  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 1 by default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.
  AAA - the id of the joint session

  My guess is that I'm hosting orders with that and so no permission is necessary.

  Any idea?

  Thank you

  Chris

  Hello

  What do you watch? Take a look at RADIUS accounting and authorization Ganymede reports.

  Thank you

  John

• Problem with shell command authorization

  I came across this issue with ACS 3.1 and 3.2 of the ACS

  A shell command authorization set is created under the profile shared with the following components:

  Unmatched orders: refuse

  Permit of unmatched Args: UNCHECKED

  The order authorized is 'show' with the Arg "worm permit", "allow the interface" and "allowed to run.

  This permission set is then applied to the group, under the option "Assign a Shell command authorization on any device on the network."

  Select this group option is set to 'Max privilege for any customer of AAA, level 15.

  This configuration is then tested against two IOS switches, with orders from aaa as follows:

  AAA new-model

  AAA authentication login default group Ganymede + local

  the AAA authentication enable default group Ganymede + activate

  AAA authorization exec default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  The problem I have is that when a user who is part of this group connects, it can issue commands such as see the worm, see the race and show int just as I would expect. Any command that does not begin with a show... is denied. However, other show commands that do not appear in the arguments of will work, so that some don't. For example, "show arp" and "vlan" worked, while "show accountants ' and 'buffer' does not. What Miss me?

  commands that work without explicitly set them are of privilege more low level 15... for example; "show arp" is a command of Priv-1, so it is execuatbel without permission of command as you do not permission to order for private-1.

  Router > sh priv

  Current privilege level is 1

  Router >

  Router >

  Router > show arp

  Protocol of age (min) address Addr Type Interface equipment

  Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0

  Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0

  Router >

  Router >

• Shell command authorization

  Hi all

  I'm having a problem with the Shell command authorization. I have a user that I just want to be able to display the configuration of installation, it is for the auto config to archives on an hourly basis.

  I have configuered the device with the following orders of aaa:

  AAA new-model

  AAA group Ganymede Server + ACS

  AAA authentication login default group ACS

  /NOAUTH AAA authentication login no

  AAA authorization config-commands

  AAA authorization exec default group Ganymede + group ACS

  /NOAUTH AAA authorization exec no

  AAA authorization commands 15 default ACS group

  AAA authorization commands 15 /NOAUTH no

  AAA accounting command 15 arrhythmic default group ACS

  The static account I have set up ok logs and can show config etc. Access to the conf t is disabled, which is good, but for some reason, it can run any command show rather than just who is this all I welcomed in the Shell command authorization.

  Unmatched command is defined for refuse and allowed unparalleled arguments are not checked.

  ACS is 3.3 2 and switch I tested running 12.1 (9) EA1

  Any ideas?

  Most of 'show' command are level 1 controls. You can check this by logging in as a normal user, issue a private "sho" to make sure that you are at level 1, and then type 'sho ip road', "sho ver", etc., you will see that all work fine.

  Your AAA commands say only the switch to allow level 15 commands, so when you do a "sho ver" or similar this order will not be sent offshore to the ACS server for authorization.

  If you add the following:

  AAA authorization commands 1 default ACS group

  so, what do you have to fix, but be careful because it is easy to lock you out of power mode enable (add 'enable' in your command set too).

  You should also noticed all those who 'show' commands were not their statement in detail either, because you have enabled also only accounting for level 15 commands.

• How to activate 'Shell command authorization games '.

  Hello

  I use aaa on Ganymede to check the user to active directory ms.

  I set up a new "Set Shell command authorization" see the attachment for more details.

  But it does not work. So, I just want to check if the use of a command works or not.

  You can see in the file attached, I tried something with the command 'show '.

  But if I connect I am still able to use "view aaa servers" example, but in the 'show' commandbox I asked the agrument "refuse the aaa" inside.

  Why doesn't this work?

  Thanks for the help

  BB

  BB,

  Not sure why you want to do it this way. Trick here is to give all users a priv 15 and then set the permission command, defined according to your need.

  Overlooking priv 15 does not mean that the user will be able to run all the commands. You can set permission set and allow that you want specific orders, the user should be able to run.

  So pls rate this help

  Kind regards

  ~ JG

• Command authorization Config 3.3 ACS

  Hello

  I want to allow a user only add/remove the roads on a router. The shell command authorization works very well. But when the user is in configuration mode, it can start with any order!

  Debugging says:

  1w2d: AAA/AUTHOR: authorization config command not enabled

  How can I activate this and how/where can I he set up the GBA?

  Thanks in advance

  GBA just allow the user to enter the command 'road' as if you have any other shell command that they are authorized to do.

  On the router/NAS, you must tell him specifically that you want authorization for config commands with the following:

  AAA authorization config-commands

  Note that the format of this command changes slightly on different versions of IOS, but if you "aaa authorization?", you will be able to understand.

• ACS command 4.1 authorization failing intermittently

  Hello

  I have installation switches aaa using Ganymede + on the network, however I seem to get occasional command authorization error. It shows when I try entering the command on multiple ports at the same time (example interface range giga 1/1-48). If I had to do on one lane instead, I does not seem to encounter the error. It would be because of the ACS, unable to carry the load? It is only for a single switch to run the command for port ranges.

  I've attached an example of the error of reference:

  switch (config-if-range) #description level 3
  % Failed authorization.

  % Command failed on the beach of the interface. Abandonment

  I checked the interface to connect to the ACS, and I see no error. I'm not too sure of what may be the cause of error. Would it be because of the ACS unable to work well with the range of interface?

  Thank you.

  There is a bug open for this issue which is found in subsection 12.2 (46), and for the moment there is no plans how to solve the problem because it involves a design work in the code to fix this. The only work around is to remove permission to order or to see what your limit is on the beach inteface command entered begins to drop requests.

• Arguments using Wild-Card in Shell command authorization

  The Shell permission command Set allows the use of wild-card?

  For example, according to command shell permission, what can I put the arguments if I want to enable the command show interface fastethernet 0/1-24 run?

  And also, what should I put in as argument for a ip address if I want to allow "ping x.x.x.x"?

  Thanks in advance.

  Hello

  There are two wildcard characters used under authority of command Shell is the first ' ^ ' sign which designates anything that comes after this is accepted and the second wildcard is ' $' which means anything that is before. In your case, you can use

  Interface FastEthernet 0 1 ^

  and

  Ping ^.

  These commands allow access each Fastethernet and ping to an IP address.

• ACS - ASA authorization and accounting

  Hello

  I have a few questions about the authorization and accounting on the ASA via an ACS server

  1. When I activate the command 'aaa authorization command' users of SSH commands I get locked on console then I have to configure the console, telnet and allow to be authenticated via Ganymede too, is it possible to allow SSH via Ganymede while keeping the Console and telnet authenticated locally or not even no authentication?
  2. I visited command 'aaa accounting TAC' accountant on ASA, but I noticed that GBA records just mod configuration commands ' focus on in 15 "not show all command or privilege 1, is possible to fix this?"»
  3. RADIUS supports authorized SHELL?

  Thank you for your support

  1.] Unfortunately, it is currently not possible to exclude the command authorization serial number / console or ssh to users while having it apply to other methods of access in the case of ASA. Once you run this command, it would be applicable to all methods such as ssh, telnet, http, enable and console. This can be easily achieved by IOS (routers and switches) by creating a list of method.

  2.] when configuring the aaa accounting command , each other than display command command commands entered by an administrator is recorded and sent to accounts or servers. This is a default behavior on the SAA. IOS send/check orders show on ACS/Ganymede.

  http://www.Cisco.com/en/us/docs/security/ASA/asa81/command/ref/A1.html

  Kind regards

  Jousset

  The rate of useful messages-

• The AAA command authorization

  I have an ACS 4.0 device. In the shell command authorization set section, you can define authorized or rejected orders (see) and arguments (running-config). I'm limiting users to a set of specific commands. One of the commands is "exit". To my knowledge, "exit" has no arguments. If I add 'Quit' as a permitted command but nothing come to the section of the argument, I get the authorization failed on the router. If I select "unparalleled stay args" (of output), the authorization is successful. I would prefer not to select "unmatched args to stay." Is there an argument for "out" I'm not aware of?

  Hello

  Try this,

  exit - permit

  represents returns the key.

  Kind regards

  Prem

• ACS 5.1 - Ganymede + issue witch 'network access' access services

  Hello world

  can someone explain why Ganymede + cannot be used with the network access services?

  

  I know that Ganymede is mainly intended command authorization, but as I remember with ACS 4.2 it is possible. For example for the purpose of PPP.

  THX and regards

  Przemek

  GANYMEDE + applications cannot be managed by access with the Service Type «Peripheral Administration» services

  If the type is NetworkAccess, it will fail. Please check the Service Type defined for the Access Service 'VPM-access '.

• series PIX command authorization

  Hi all

  can someone tell me please the use of GBA pix command authorization. I understand the use of a shell command authorization.

  I'm sorry if the question is too dumb. I am completely new to this sector.

  Thanks in advance.

  concerning

  Kirti.

  Pix command authorization set was designed to set up approval order with PIX/FWSM, as shell pix did not differ for IOS, but at the launch the actual code, PIX/FWSM seems to work correctly with the auth command sets the shell.

  So no one is really interested in using shell Pix more, more to watch new codes of pix it seems that developers are more likely making Pix Shell same shell IOS, so even if they stop PIX command sets in the next version of ACS I will not be surprised.

  ~ Rohit

• authorization GANYMEDE +.

  I can't control aaa authorization using win2k Ganymede +. I have the following commands on my router:

  AAA new-model

  AAA server Ganymede group + ciscosecure

  AAA authorization config-commands

  AAA authorization exec ciscosecure Ganymede group.

  AAA authorization network group Ganymede ciscosecure +.

  If the authentication that's good, I can even time of day login control. only permission issues, I need to define groups for users to belong

  Thank you

  Francis

  Hello Francois,.

  You must add the following line/lines for authorization on the router-

  AAA authorization commands default Ganymede group 0 +.

  AAA authorization commands by default 1 group Ganymede +.

  AAA authorization commands by default 15 group Ganymede +.

  Thank you

  Renault

• equivalent command to 'Ganymede-source interface ip' on SAA

  Y at - it equivalent command to 'Ganymede-source interface ip' on ASA? We have an L2L VPN between 2 ASAs and AAA server is through the VPN tunnel and I want ASA to go to ACS with source interface indoors, not outdoors.  AAA server command is the external interface-oriented and management-access to the Interior is set up but always packets are routed using outside interface as a source. No work around outside NAT?

  Yes, you can configure the interface within the command in aaa-server when you set the ip address of the server.

  For example:

  mytacacs AAA-server (inside) host 10.1.1.1

  Here is the command for your reference:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/A1.html#wp1596947

  Hope that helps.

• Shell permission command to the device using NDG sets?

  Hello. I have configured NDG, there is a group called "GR1" with 30 switch.

  This group is set up a command authorization set Shell called "Monitoring", which don't show commands, ping and traceroute are allowed.

  I want to let the users to pass in only 10 of the 'GR 1' group set up some interfaces and IP addresses, go to the other does not. ! Note: The number of interface is not the same for each switch can be FA0 / 1, but for others it can fa0/3.etc.

  I want to keep these 10 switch within the group "GR1", it is possible to do this configuration?

  -Thank you

  I edited my post above to make it clearer. You can assign auth sets. Shell the user, group, or level NDG. More details are mentioned on the following link:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610

  AFAIR, one device (AAA Client) can be part of only NDG, so you can't get your condition using by NDG Shell command authorization sets. Unless you break the NDG in NDG more than one.

  You can assign authorization at the level of the user or the Group (after the appropriate group users) to achieve your requirement.

  You can also use the 'privilege' on the switch command to ensure that users can only see the commands you want. For example, when a user connects it will be placed on level 7. Now you can keep unwanted orders at level 15 and lower orders you want to level 7. All other users would receive a lower level (e.g. level 5), so they will not be able to run these commands.

  Concerning

  Farrukh