SecureACS refuse/allow attribute problem

Discussion in 'Cisco' started by Jason Kau, Jul 10, 2003.

  1. Jason Kau

    Jason Kau Guest

    Hi,

    I'm using SecureACS 2.3.6.2 as my TACACS+ authentication server (combined
    with RSA/ACE Server 5.1) for telnet/ssh management sessions to our Cisco
    network devices (IOS-based switches and routers).

    I would like to be able to restrict certain users acess to certain
    networks devices. I have setup this user profile:

    #./ViewProfile -u jk87
    User Profile Information
    user = jk87{
    profile_id = 21
    set server current-failed-logins = 0
    member = admin
    profile_status = enabled
    service=shell {
    set priv-lvl=15
    allow "^192\.168\.0\.16$" "tty.*" ".*"
    refuse ".*" ".*" ".*"
    }

    based on the example at:

    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/acsu235/examplzd.htm#1015316

    If I understand the example correctly, this should allow the user "jk87"
    to only login to the device 192.168.0.16 (in this case, a Catalyst 2950
    switch) but not any other devices.

    However it does not work:

    Trying 192.168.0.16...
    Connected to 192.168.0.16.
    Escape character is '^]'.

    User Access Verification

    Username: jk87
    Enter PASSCODE:
    Authorization - Unauthorized NAS or PORT

    If I remove the "refuse" attribute from the user jk87 profile, I am able
    to login:

    Trying 192.168.0.16...
    Connected to 192.168.0.16.
    Escape character is '^]'.

    User Access Verification

    Username: jk87
    Enter PASSCODE:
    switch#

    So it appears the refuse/allow attributes are not being matched/parsed as
    I would expect based on the documentation.

    Any ideas?
     
    Jason Kau, Jul 10, 2003
    #1
    1. Advertisements

  2. Jason Kau

    Jason Kau Guest

    Not that anyone cares, but the solution is to set the following option in CSU.cfg:

    NUMBER config_get_names_from_dns = 0;

    This will keep ACS from doing reverse DNS resolution and breaking allow/refuse
    attributes that match based on IP address.

     
    Jason Kau, Jul 21, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.