ACS 3.3 Shell Command Authorization Sets

Steve Chapman · ‎10-10-2008

I need help on the Authorization Set. I have the following currently configured.

clear permit port-security dynamic

permit port-security all

permit port-security sticky

permit mac-address-table dynamic

Configure permit terminal

end

exit

show permit port-security

permit mac-address-table

permit interfaces status

permit interfaces stats

permit running-config interface FastEthernet

permit ver

switchport permit port-security

write permit memory

permit network

copy running-config startup-config

everything seems to work fine. For example you can not do a show running config.

my problem is the conf t. Once you in you can do any commands you want ie. "int fax/x/x" "switchport access vlan XX"

I tried different interface permit commands and still can not restrict commands.

None of the permit unmatched commands are checked.

What I would like is to permit interaface commands for port security commands, but not allow shut or no shut. etc.

Farrukh Haroon · ‎10-11-2008

Have you turned on:

aaa authorization config-commands

Regards

Farrukh

Jagdeep Gambhir · ‎10-13-2008

As suggested by Faruk, it seems it is not checking for authorization in config t mode that is why you are able to execute all commands.

Please add

aaa authorization config-commands

Above command will enable authorization for config t mode.

Regards,

~JG

Steve Chapman · ‎10-15-2008

that fixed it. thanks.

Farrukh Haroon · ‎10-15-2008

Its great to know you have it working now. :)

Please rate helpful posts to increase the utility of this information for future readers.

Regards

Farrukh