@ jgambhir

Thanx for answer :-)

Your response is working.

But I want to gonfigure it different than you. You did "aaa authorization commands 15" I will do it with "aaa authorization commands 5".

For example:

aaa authorization commands 5 default group tacacs+ if-authenticated

aaa authorization config-commands

In the ACS I want to configure that the users from the group (TACACS+ Settings -> Privilege level = 5)

are able to execute the command "configure terminal" or "show running-config" and so far...

How do I configure this???

Thanx for help

bb

Hi

I have this same problem, trying to allocate a list of commands that i want junior techs to be able to execute. I have given them all level 7 privilege and listed commands on ACS Shell Exec settings but it does not work.

I want to avoid having to enter:

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal

etc etc on 300 switches.

any idea how to do this?

Ray,

First of all you don't need these commands with acs, so take off these commands,

privilege exec level 7 show run

privilege exec level 7 ping

privilege exec level 7 configure terminal

Configure acs and aaa client as described above in this thread.

Let me know how that goes.

Regards,

Pls rate helpful posts

@ jgambhir

You wrote me to set each acs group with privilege level 15 and then add command set.

This work for me now. But how can I hide some output for helpsek users such as "aaa configs" and other stuff when they run the command "sh run"???

Does it give a possibility to configure such things???

Thanx for help :-)

bb

Yes, use command sets to deny access to some commands, or grant access if you so not want to give access to the majority of the commands. When you execute show running-config the users will only see what they are able to configure, so if you don't want them to see aaa commands, simply deny those commands in the command set.

@ mattiaseriksson

You say this very easy but if I deny for example "aaa" then I still able to see under "show ?" the aaa opportiunity and I also can run "show aaa servers" command.

I probably don't know how to do the deny rule???

But the permit thing works...???

Quite confusing

bb

You can deny 'show aaa servers' and other commands like this:

Command: show

Argument: deny aaa *

Unlisted arguments: permit

Unmathced Cisco IOS commands: permit

BB,

Actually using command authorization you can permit or deny any command but there is no way to control the output displayed for a specific command.

eg : When you allow show run, user will get full output instead of limited output.

This feature is availble if you do local authorization on the router/switch.

Hope that helps !

Regards,

~JG

Hi,

Sorry about the delay, i've been out for a few days...

This sort of works for me now. But it only allows any user to do anything if they are explicitly allocated a command auth set in ACS. so my main admin like myself cannot use ANY commands unless we are given a command set to use.

is there a way around this with certain

aaa new-model commands? i currently use:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

The normal case is that you would have an admin group with an associated command set that has default command permit, and all other groups have limited command sets. So yes, you have to assign a command set if you use command authorization.

The other way to do it would be to define privilege levels, but then you would have to configure this on all of the devices.

OK, thanks Matthias. i think it all works ok now.

Will this also work for console access or any situations where it loses conact with the Tacacs server?

thanks again.

Ray

Yes, the "default" method you use apply to the console line as well, if you have not overruled that in the config.

And if the tacacs server is unavailable it will use the local database for authentication and autorize everything by default (if-authenticated).