How to deny enable command.

Answered Question
Oct 26th, 2007
User Badges:

On our current config we have this...


Aaa new-model

Aaa authentication login default group tacacs+ local

Aaa authorization config-commands

Aaa authorization exec default group tacacs+ local

Aaa authorization commands 15 default group tacacs+ if-authenticated


In tacacs we have each user in a group. Each group calls upon a command authorization set. In the command set we have denied enable, but we are still able to run enable. The other commands that we test work fine. Any suggestions? Are we able to deny enable at all?


Thank You,

Andrew

Correct Answer by somishra about 9 years 9 months ago

Hi Andrew,


Add the following commands on the device:


aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated


Rgds

somishra

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
somishra Fri, 10/26/2007 - 10:25
User Badges:
  • Cisco Employee,

Hi Andrew,


Add the following commands on the device:


aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated


Rgds

somishra

aspangenberg Fri, 10/26/2007 - 10:41
User Badges:

Thank You Very Much! I've been pulling my hair out over that for too long. lol


Have a good one.

-Andrew

Actions

This Discussion