ACS 3.3 Shell Command Authorization Sets

Unanswered Question
Oct 10th, 2008

I need help on the Authorization Set. I have the following currently configured.

clear permit port-security dynamic

permit port-security all

permit port-security sticky

permit mac-address-table dynamic

Configure permit terminal



show permit port-security

permit mac-address-table

permit interfaces status

permit interfaces stats

permit running-config interface FastEthernet

permit ver

switchport permit port-security

write permit memory

permit network

copy running-config startup-config

everything seems to work fine. For example you can not do a show running config.

my problem is the conf t. Once you in you can do any commands you want ie. "int fax/x/x" "switchport access vlan XX"

I tried different interface permit commands and still can not restrict commands.

None of the permit unmatched commands are checked.

What I would like is to permit interaface commands for port security commands, but not allow shut or no shut. etc.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Jagdeep Gambhir Mon, 10/13/2008 - 05:16

As suggested by Faruk, it seems it is not checking for authorization in config t mode that is why you are able to execute all commands.

Please add

aaa authorization config-commands

Above command will enable authorization for config t mode.



Farrukh Haroon Wed, 10/15/2008 - 10:38

Its great to know you have it working now. :)

Please rate helpful posts to increase the utility of this information for future readers.




This Discussion