Shell Command Authorization - Limit to single interface

Unanswered Question
Dec 29th, 2008
User Badges:

Hi There,


I'm new Shell Command Authorization and I'm not sure if im doing this right.. I'd like to create an authorization set to limit a user so that they can only add and remove a single policy map to a specific interface.


However, I'm having trouble limiting them to a single interface (e.g. FastEthernet 0/0). Whatever I do they seem to be able to access ALL interfaces.


Here is the ACS 4.1 setup


Unmatched Commands = DENY


configure=permit terminal

interface=permit FastEthernet 0/0

service-policy=permit input testpolicy


Permit Unmatched Args is also OFF (unticked).


Other commands are blocked OK.


Appreciate any help,


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jhillend Mon, 01/05/2009 - 09:59
User Badges:
  • Bronze, 100 points or more

Please run debug on the network device:


debug aaa authorization

debug tacacs authorization


This may give us a clue.

Actions

This Discussion