acs4.1 & aaa authorization & permit show

Unanswered Question
May 23rd, 2008
User Badges:


I want to deny all commands except "show run" for a group and for all network devices.

So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")

than I used commands which you can see below:

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)

what can be the problem?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rochopra Fri, 05/23/2008 - 05:01
User Badges:
  • Cisco Employee,

create another shell command authorization set for full access group and configure it for "unmatched commands - permit"

and do not enter any command for it.

That will work for you.



This Discussion