CS-ACS - Shell Command Authorization Set

lovejoy2652 · ‎09-12-2007

gentlemen,

I am helping out a colleague with our ACS (it was set up before both us came here) and we have noticed that some groups are assigned a shell command authorization set and other groups aren't. My question is as follows - If a group isn't assigned to an authorization set does that mean that the group can do any and all commands without restriction? I am assuming so, but have not been able to find any documentation that says so explicitly. Any help is appreciated. Thanks.

royalblues · ‎09-12-2007

yes you are correct.

If a group is not assigned any shell auth set, and if the group shell privilege is configured as 15, then there is no restriction in their access

HTH

Narayan

lovejoy2652 · ‎09-12-2007

Thanks. This helps a lot to clear up some confusion on the different groups.

lgijssel · ‎09-12-2007

Hopefully the link below provides the info you seek:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

regards,

Leo

Jagdeep Gambhir · ‎09-13-2007

Hi,

If you have command authorization set on group 1 and not on group 2 then group 2 user will NOT be able to issue any command. It will fail.

So if that group is admin group then you need to set one more command autho set will radio set to permit. Once it is done you need to bind it with admin group.

Hope that helps

~JG

Please rate helpful posts