01-10-2008 04:43 AM - edited 03-10-2019 03:35 PM
Hi All
user1 >>>GroupA & user2 >>>GroupB
Router1 >>>NDG-A & Router2 >>>NDG-B
Now,
GroupA user must have "sh run" permission on NDG-A but not on NDG-B.
GroupB user must have "sh run" permission on NDG-B but not on NDG-A.
I created two shell command authorisation set and mapped it to GroupA & GroupB. Then inside the Group, I mapped the Shell command set to NDG. Here I have two associations.
(**I have tested with single association and its working. But not not with two)
But somehow its not working.
Please help.
Regards
Bharat
01-10-2008 06:20 AM
Bharat,
You need to set up Assign a Shell Command Authorization Set on a per Network Device Group Basis
In GroupA---> Assign a Shell Command Authorization Set on a per Network Device Group Basis---->
Add NDG A<====> Allow show run set**
Add NDG B<====> Deny all***
In Group B----->Assign a Shell Command Authorization Set on a per Network Device Group Basis---->
Add NDG B<====> Allow show run **
ADD NDG A<====> Deny all***
** Command autho set allowing Only show run
*** Command author set that deny's every thing.
Please check this link,
Hope that helps !
Regards,
~JG
Do rate helpful posts
01-10-2008 06:47 AM
Hi Thanks for your reply. But this thing I have already done on ACS.
After intorducing following commands on Router, it worked.
aaa authorization commands 1 default tacacs+ local
aaa authorization commands 2 default tacacs+ local
aaa authorization commands 3 default tacacs+ local
aaa authorization commands 4 default tacacs+ local
aaa authorization commands 5 default tacacs+ local
aaa authorization commands 6 default tacacs+ local
aaa authorization commands 7 default tacacs+ local
aaa authorization commands 8 default tacacs+ local
aaa authorization commands 9 default tacacs+ local
aaa authorization commands 10 default tacacs+ local
aaa authorization commands 11 default tacacs+ local
aaa authorization commands 12 default tacacs+ local
aaa authorization commands 13 default tacacs+ local
aaa authorization commands 14 default tacacs+ local
aaa authorization commands 15 default tacacs+ local
Thanks for your help
Regards
Bharat
01-11-2008 06:23 AM
We need to have these commands on the router. You never mentioned it in your orignal post.
Anyways , there is no need to put 15 line on the router. Just three will take care
i.e.
aaa authorization commands 0 default tacacs+ local
aaa authorization commands 1 default tacacs+ local
aaa authorization commands 15 default tacacs+ local
No need to count from 1 to 15.
Regards,
~JG
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: