Task 5.5

I can't seem to prevent the NOC user from changing the hostname.  All else is working as expected.  i am testing via telnet

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login console none
aaa authorization exec default group tacacs+

privilege interface level 2 shutdown
privilege configure all level 2 interface
privilege configure level 2 hostname
privilege exec level 2 configure terminal
privilege exec level 2 configure
privilege exec level 2 show running-config
privilege exec level 2 show

 

The ACS Shell group is configured to Deny Unmatched Commands. The NOC user is assigned privilege level 2 with Shell (EXEC) enabled

I have tried

    not adding the hostname command, placing the hostname command

    adding the hostname command and unselecting the Permit Unmatched ARGS

    adding the hostname command, adding an argument of "permit aaa" and unselecting the Permit Unmatched ARGS

    adding the hostname command, adding an argument of "deny aaa" and unselecting the Permit Unmatched ARGS

 

Any thoughts or advice?

Thanks

Claude

 

 

 

Comments

  • Hey Claude,

     

    I'm working on this problem myself.  I have to give IE lots of credit for coming up with such a thought provoking task.  I can't answer why your config isn't working. From what you've stated it should work.

     

    However, I came up with a somewhat different solution. Instead of configuring a command authorization set in shared profile, I just config'd the allowed commands under User Setup by selecting "Per User Command Authorization". Then, I selected Permit for "Unmatched Cisco IOS commands" and then in the command text box, I entered hostname and for Unlisted arguments, I left the textbox empty and selected the Deny radio button.

     

    Now, this is just a thought experiment since I didn't actually configure this but what I described is how I would have done this task.

    Did you get this task to work eventually?  If so, whta turned out to be the problem?

    Thanks, Tim

  • Thanks for the reply

    I figured it out the second time around

    i was missing "aaa authorization config-commands" in the router

     

     

  • Yep, and so easy to miss.

     

    Are you taking the lab before April 20th when Cisco switches over to the new blueprint?

    My lab date is this Tuesday in RTP.

    What did you think of my approach to the problem?

    Tim

  • i tried to get a seat in RTP, but could not book one.  I have to travel across the continent for San Jose next Thursday

    i wanted to do the lab while the VPN3000 was still in play.  i think it is easy points. 

    i think your approach does the same thing.  the profiles are intended to be more scalable

    Is this your first time doing security?  I had to go to RTP three times to pass R&S in 2005-2006

  • Nope, technically, this will be my 2nd attempt but I don't cont the first attempt because I only took it so as to not have to retake the written.

    I knew I had no chance whatsoever of passing.  But, this time I think I have a good chance. We'll see soon enough.

    I'm expecting most tasks to be fairly straigh forward but there are a couple things working against us.

    1) Each task has around 5 or 6 subtasks where 1 of the subtasks is always a mind bender.  And,

    2) the passing score is 80 which means you must get points for 20 tasks.

    So, I'm hoping passing this lab will be much easier than passing the R&S lab which took me more than 3 attempts but we'll see.

    Hopefully, I'm much better at preparing this time around.

    Tim

Sign In or Register to comment.