I want to deny all commands except "show run" for a group and for all network devices.
So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")
than I used commands which you can see below:
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)
what can be the problem?