acs4.1 & aaa authorization & permit show

Unanswered Question
May 23rd, 2008
User Badges:

Selam,


I want to deny all commands except "show run" for a group and for all network devices.


So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")


than I used commands which you can see below:


aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated


NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)


what can be the problem?


Thanks

Ozlem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rochopra Fri, 05/23/2008 - 05:01
User Badges:
  • Cisco Employee,

create another shell command authorization set for full access group and configure it for "unmatched commands - permit"

and do not enter any command for it.


That will work for you.


~Rohit

Actions

This Discussion