Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
4
Replies

Command Authorization

Go to solution
wasiimcisco
Level 1
Level 1

‎06-02-2008 05:48 AM - edited ‎03-10-2019 03:52 PM

I have ACS solution engine, I have applied a command authorization set on user, below mention is command authorization set

show command

permit version

permit aaa

permit config

permit interface

permit xlate

permit nat

permit global

permit access-list

permit route

permit ip route

permit vlan brief

permit ping

Clear command

permit version

permit aaa

permit config

permit interface

permit xlate

permit nat

permit global

permit access-list

permit route

permit ip route

permit vlan brief

enable command

permit ping

now problem is that user is able to login successfully, and goes to enable mode, but from neither mode he is able to ping the network.

though i have allowed the ping command, but user getting error

ping 172.28.95.2

Command authorization failed

I want to allow the user to ping anywhere in the network.

Please tell me how to do that.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to wasiimcisco

‎06-02-2008 09:00 AM

It should be

configure----> on the left box

permit terminal ---> on the right box.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-02-2008 05:58 AM

To allow ping , this is how command set should be configured.

See attachment

Regards,

~JG

Preview file
119 KB
0 Helpful

Go to solution
wasiimcisco
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-02-2008 08:41 AM

It was not working as mentioned in the attachement, I changed it to to different way as shown in the snapshot, it is working now.

Please tell me one more thing, if i want user to even allow configure terminal, how to do that, i tried as mentioned in the snapshot but not working, I want user to go into configure terminal but i will only allow the commands that i mentioned in the show command set.

Please tell me how to do that.

21383-command snapshot.zip
0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to wasiimcisco

‎06-02-2008 09:00 AM

It should be

configure----> on the left box

permit terminal ---> on the right box.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Jagdeep Gambhir

‎06-02-2008 11:15 AM

Waseem, have a look at the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

The best option is to turn on the following debugs on the router and then enable the appropriate commands in ACS (as sometimes router is sending strange characters like etc)

debug aaa authorization

debug tacacs

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents