Re: [OSL | CCIE_Security] Commands authorization

[Eugene Pefti]

Thanks, Mike,

Lots of show commands that are not allowed with shell authorization command set 
are denied and I see it in the ACS Failed attempts:

Command denied: service=shell cmd=show privilege

But I'm still able to change the hostname. My AAA section on the router looks 
like this:

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login CON none
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 10 default group tacacs+
aaa authorization commands 15 default group tacacs+

What do you mean by "denying" the command on TACACS? I thought that all 
commands not explicitly listed in the set are automatically denied.
There's of course a way to add a line "hostname deny *" where asterisk means 
everything but this is sort of not how  I want it  ;)

Eugene

From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Sunday, July 08, 2012 11:08 AM
To: Eugene Pefti; walleed...@hotmail.com; ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] Commands authorization

The command hostname is being denied on the tacacs?

This looks fine:
privilege configure level 10 hostname
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 show running-config
privilege exec level 10 show

Just add aaa authorization config-commands and deny it on the tacacs.

Mike

________________________________
From: eug...@koiossystems.com<mailto:eug...@koiossystems.com>
To: walleed...@hotmail.com<mailto:walleed...@hotmail.com>; 
ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Date: Sun, 8 Jul 2012 18:03:17 +0000
Subject: Re: [OSL | CCIE_Security] Commands authorization
Sorry for coming back to the same topic again.
Now I have a question if I can do a mix of the below said authorizations, 
namely having certain commands available at a particular level, e.g. 10 and 
authorizing commands with a shell command set on a TACACS server.
It looks like the command set from TACACS is not pushed to the user. I moved 
few commands to privilege  level 10:

privilege configure level 10 hostname
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 show running-config
privilege exec level 10 show

And I want to deny the user the ability to change the hostname. So my shell 
command authorization set looks like this:

Cmd = "configure" , Args = "permit terminal"
Cmd = "show" , Args = "permit running-config"

With all this I expect the user is allowed to run show commands and see the 
hostname in the config but deny him from changing the hostname because it's not 
listed in the commands set but it doesn't work this way.

Eugene

From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Eugene Pefti
Sent: Friday, July 06, 2012 8:48 PM
To: waleed '; CCIE Security
Subject: Re: [OSL | CCIE_Security] Commands authorization

Thanks, pal.
Yeah... I realize it now.
Just to recap. I did commands authorization two ways.
First was assigning a user priv 15 level via TACACS and assigning him a certain 
commands set. The attempt to run the unassigned command ended up in "Command 
authorization failed"
Second was assigning a user priv X level (let's say 7) via TACACS and assign 
exec and configure commands locally on the router with "privilege exec ..." and 
"privilege configure ...".  The attempt to run the command that doesn't exist 
in level 7 ended up with the "Invalid input detected at ^ marker"

Eugene

From: waleed ' [mailto:walleed...@hotmail.com]
Sent: Friday, July 06, 2012 8:35 PM
To: Eugene Pefti; CCIE Security
Subject: RE: [OSL | CCIE_Security] Commands authorization

you have to check what you configured for commands authorization and for exec 
authorization  ,
you will have this message
% Invalid input detected at '^' marker.

for not found command in this level
________________________________
From: eug...@koiossystems.com<mailto:eug...@koiossystems.com>
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Date: Sat, 7 Jul 2012 03:30:26 +0000
Subject: [OSL | CCIE_Security] Commands authorization
Folks,
I'm honing my skills in commands authorization and ran into something that put 
me on guard.
I have a number of commands defined in a command authorization set and the 
router and TACACS user settings are configured for a particular privilege level.
When I run the command that is not allowed the router says that command is not 
available, e.g.

R3(config)#int Fa0/1
           ^
% Invalid input detected at '^' marker.

I remember previously I saw a different message when tried to execute a 
non-allowed command, namely,

"Command authorization failed"

Why do you think there's a difference ?

Eugene

_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking 
for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>

_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking 
for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com