Command Authorization

Answered Question
Jun 2nd, 2008
User Badges:

I have ACS solution engine, I have applied a command authorization set on user, below mention is command authorization set


show command

permit version

permit aaa

permit config

permit interface

permit xlate

permit nat

permit global

permit access-list

permit route

permit ip route

permit vlan brief

permit ping



Clear command

permit version

permit aaa

permit config

permit interface

permit xlate

permit nat

permit global

permit access-list

permit route

permit ip route

permit vlan brief



enable command

permit ping



now problem is that user is able to login successfully, and goes to enable mode, but from neither mode he is able to ping the network.


though i have allowed the ping command, but user getting error


ping 172.28.95.2

Command authorization failed


I want to allow the user to ping anywhere in the network.


Please tell me how to do that.

Correct Answer by Jagdeep Gambhir about 8 years 9 months ago

It should be


configure----> on the left box


permit terminal ---> on the right box.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Mon, 06/02/2008 - 05:58
User Badges:
  • Red, 2250 points or more

To allow ping , this is how command set should be configured.


See attachment


Regards,

~JG



Attachment: 
wasiimcisco Mon, 06/02/2008 - 08:41
User Badges:

It was not working as mentioned in the attachement, I changed it to to different way as shown in the snapshot, it is working now.


Please tell me one more thing, if i want user to even allow configure terminal, how to do that, i tried as mentioned in the snapshot but not working, I want user to go into configure terminal but i will only allow the commands that i mentioned in the show command set.


Please tell me how to do that.



Correct Answer
Jagdeep Gambhir Mon, 06/02/2008 - 09:00
User Badges:
  • Red, 2250 points or more

It should be


configure----> on the left box


permit terminal ---> on the right box.




Farrukh Haroon Mon, 06/02/2008 - 11:15
User Badges:
  • Red, 2250 points or more

Waseem, have a look at the following link:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


The best option is to turn on the following debugs on the router and then enable the appropriate commands in ACS (as sometimes router is sending strange characters like etc)


debug aaa authorization

debug tacacs


Regards


Farrukh

Actions

This Discussion