cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
570
Views
0
Helpful
8
Replies

shell command authorization set

james-benson
Level 1
Level 1

umatched commands set to deny

command "configure" argument "permit terminal"

user has full access to all. i just want user to adjust vty lines. I also have the following commands

show with argument"permit run and start"

thats all i have set up in command. they should not be able to do anything in the config mode "Yet"

8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

James,

Please check out this link and attached file,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

I actually set up the commands using that document. it is supposed to deny anything else once you are in the config mode. because i have no other commands or arguments defined. but i have full control

Do you have this command in config

aaa authorization config-command

i do not have that in my config. I do not know where i would put it. here is my config

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

You need issue that command in config t mode

aaa authorization config-command

That will take care of your issue.

Regards,

~JG

Do rate helpful posts

Hi James,

Is there a privilege level defined on your vty? Especially if theres a privilege level is 15, remove it first then try it again.

Regards,

Jong

there is no privilege defined on vty

ok, all you have to do is to follow JG's instruction above on his previous mail to enter the "aaa authorization config-command" in config t mode.

Thanks,

Jong

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: