Solved: How to deny enable command.

aspangenberg · ‎10-26-2007

On our current config we have this...

Aaa new-model

Aaa authentication login default group tacacs+ local

Aaa authorization config-commands

Aaa authorization exec default group tacacs+ local

Aaa authorization commands 15 default group tacacs+ if-authenticated

In tacacs we have each user in a group. Each group calls upon a command authorization set. In the command set we have denied enable, but we are still able to run enable. The other commands that we test work fine. Any suggestions? Are we able to deny enable at all?

Thank You,

Andrew

somishra · ‎10-26-2007

Hi Andrew,

Add the following commands on the device:

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

Rgds

somishra

View solution in original post

somishra · ‎10-26-2007

Hi Andrew,

Add the following commands on the device:

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

Rgds

somishra

aspangenberg · ‎10-26-2007

Thank You Very Much! I've been pulling my hair out over that for too long. lol

Have a good one.

-Andrew