Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
1
Replies

acs4.1 & aaa authorization & permit show

o_z_l_e_m
Level 1
Level 1

‎05-23-2008 04:54 AM - edited ‎03-10-2019 03:51 PM

Selam,

I want to deny all commands except "show run" for a group and for all network devices.

So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")

than I used commands which you can see below:

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)

what can be the problem?

Thanks

Ozlem

Labels:
0 Helpful
1 Reply 1

rochopra
Cisco Employee
Cisco Employee

‎05-23-2008 05:01 AM

create another shell command authorization set for full access group and configure it for "unmatched commands - permit"

and do not enter any command for it.

That will work for you.

~Rohit

0 Helpful
Customers Also Viewed These Support Documents