Hi Piotr, You are right along with Tyson. Thanks very much!
________________________________ From: Piotr Kaluzny [mailto:[email protected]] Sent: Monday, February 08, 2010 7:24 PM To: Tating, Lorenzo C. Jr. Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Shell Command Authorization inconsistency in IOS Hi Lorenzo, I forgot to CC. The reason this command fails in this case, is that you probably enabled command authorization for levels 0 and/or 1 in addition to level 15. You can either remove it (no authorization command 0/1 name in line config mode + no aaa authorization commmand 0/1 x) or add necessary commands to the ACS section. In the first case this user will have access to all level 0 and 1 commands + only the "clear line" from level 15. In the second case only the specified commands will work. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/> On Mon, Feb 8, 2010 at 2:51 AM, Tating, Lorenzo C. Jr. <[email protected]> wrote: Hi Piotr, Thank you for the alternative. I created a usergroup and assigned level-15 to it. Here is the config on ACS: Unmatched commands: deny Command list: clear Permit unmatched args (unchecked): permit line The user can clear the line, but is now not able to do even a simple level 1 command like "show ver". R3#show privilege Command authorization failed. R3#clear line 0 [confirm] [OK] R3# R3#show ver Command authorization failed. R3# R3# PS: Do I need to include in the CC list the studylist email or keep this unicast? Lorenzo C. Tating, Jr. Technology Support Specialist Service Support Group 1 Technology Services Division FUJITSU PHILIPPINES INC. ________________________________ From: Piotr Kaluzny [mailto:[email protected]] Sent: Friday, February 05, 2010 6:11 PM To: Tating, Lorenzo C. Jr. Subject: Re: [OSL | CCIE_Security] Shell Command Authorization inconsistency in IOS Lorenzo, This is a 15-level command which means it will not be accessible on level 14 unless you move it there with "privilege exec level" command, as you described. What you configure under the ACS Authorization section applies only to the privilege levels pointed for authorization on the routers, but it does not change the level the command itself is accessible on. The alternative to this is to create two 15-level users, one with access to all commands and the other who could only access the "clear line command" (and anything else you think fit). Then you would not have to move the command with the "privilege" statement. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Fri, Feb 5, 2010 at 10:23 AM, Tating, Lorenzo C. Jr. <[email protected]> wrote: I am trying to do Shell Command Authorization on my routers using Tacacs. I have one user that i place under privilege level 14. I want a level 15 command (clear line) to be used by that user. Using the "privilege exec level 14 clear line" works, but I need to implement it on ACS to save me time from having to enter the command over and over again to many routers. But I noticed that once my user logged under privilege level 14 (Tacacs Setting, Privilege Level = 14), the Command Authorization. I cannot bring the "clear line" command to that level. I tried using this on ASA and it works, it just seems the router wont allow bringing a level 15 command down to level 14, without manually configuring "privilege exec level 14 clear line" ACS config: Per Group Command Authorization Unmatched Cisco IOS commands (deny) [check] Command: clear Arguments: (none) Unlisted arguments: permit Any help will be appreciated. Sincerely, Lorenz _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
