Command Authorization on ACS

Unanswered Question
Jul 9th, 2007
User Badges:

Hi Guys,

its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.

So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.

please help me on this.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 07/09/2007 - 08:11
User Badges:
  • Red, 2250 points or more

Hi ,

The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.

Pix command,

username Test password cisco

username Test privilege 15

aaa-server TACACS protocol tacacs+

aaa-server TACACS (outside) host cisco timeout 10

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL




Please rate if that helps !

Premdeep Banga Mon, 07/09/2007 - 08:14
User Badges:
  • Gold, 750 points or more

Hi Nitin,

If we are looking for something like command authorization.

And a single user should be able to log onto different device, but should have different privilege to command set, using single user account.

Then though this wont be feasible using NAP, as it is only for RADIUS protocol.

First configure command authorization on NAS devices.

Then on ACS configure different Shell Command Authorization Set for different devices, then on the user group, configure the section,

"Assign a Shell Command Authorization Set on a per Network Device Group Basis " where you can use "Device Group" and "Command Set" combination.

And your Single SSID and user authentication is only user authentication, after that what device they access and what level they have, you con control using TACACS and above configuration.




This Discussion