ACS SE - Shell Command Authorization

Unanswered Question
Jan 3rd, 2008

Hi Sir,

I have deployed an ACS Solution Engine 4.1(1) Build 23 to provide AAA services for routers/switches login.

I'd like to create a user group that is restricted to only "show" commands when the users log in to the network devices.

I have done the following steps:

(1) Shared Profile Components -> Shell Command Authorization Sets

Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".

(2) Group Setup.

Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".

For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.

For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".

(3) User Setup.

Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.

(4) The AAA commands on the routers/switches are as follows:

aaa new-model

aaa authentication login default group tacacs+ local enable

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+


ip tacacs source-interface Loopback0

tacacs-server host key 0 tacacskey

When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?

Thank you.


Lim TS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rognseth Fri, 01/04/2008 - 00:32

I have just been working with the same thing, and done som reading on

In the book "Cisco Access Control Security: AAA Administrative Services"

By Brandon Carroll there is a chapter about "Configuring Shared Profile Components" under "Enterprise AAA and Cisco Secure Access Control Server". In one of the illustrations he explain how to permitt sub-arguments.

He also says that "The capability of command authorization is available in most Cisco routers and PIX Firewalls at the local level", and I have not managed to make it work on switches. So if you made it I have to keep on working with it.


limtohsoon Fri, 01/04/2008 - 07:33

Hi G.Rognseth,

Thanks for your reply.

I have tried configuring similar shell command authorization set that explicitly permits only "show running-config". Logged in to a Cat3560 using a user account attached to this authorization set, I couldn't issue the command "sh run". Had not tried on a router.

By the way, for Group Setup what values do you configure for the following parameters:

(1) Under Enable Options - "Max Privilege for any AAA Client"

>> I selected Level 7.

(2) Under TACACS+ Settings - "Privilege level"

>> I checked "Shell (exec)" and set level 7.

What's the difference between the Privilege level for Enable Options and the one for TACACS+ Settings?

Is it default behavior that we can't bring down the command "show run" to lower privilege level?

If I configured the following on the IOS devices instead:


username test privilege 7 password 0 test


privilege exec level 7 show running-config


line vty 0 4

login local


When user "test" telnets in and issues "sh run", he sees a blank config. Why is it so?

Thank you.


Lim TS

royalblues Fri, 01/04/2008 - 08:28

I have had experience that the privilege level needs to be set at 15 for shell authorization to work

Once you set them to 15, you can restrict the commands you want a specific group should execute

Have a look at the attached doc



limtohsoon Fri, 01/04/2008 - 10:25

Hi Narayan,

Appreciate your detailed configuration steps.

My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.

See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.

The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.

I came across the following link:

Perhaps it explains the problem here. If I understand it correctly, a user can't see in the output of "sh run" what he can't configure at his privilege level or below.

The same issue happens when I configured the following:


no aaa new-model


username noc privilege 7 password test


privilege exec level 7 show


line vty 0 4

login local


The user "noc" can't do "sh run".

Thank you.


Lim TS


This Discussion