How to hide line console parameters through Cisco ACS

Unanswered Question
Jul 8th, 2008
User Badges:


Can any one of you please help me in the following scenario ?

I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.

Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Wed, 07/09/2008 - 05:03
User Badges:
  • Red, 2250 points or more

This thing is possible with local authorization on IOS device. With ACS this is not possible.

In acs you can set what all commands a specific user can issue. That feature is called command authorization.

For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



Do rate helpful posts


This Discussion