Shell Command Authorization - Limit to single interface

Unanswered Question
Dec 29th, 2008
User Badges:

Hi There,

I'm new Shell Command Authorization and I'm not sure if im doing this right.. I'd like to create an authorization set to limit a user so that they can only add and remove a single policy map to a specific interface.

However, I'm having trouble limiting them to a single interface (e.g. FastEthernet 0/0). Whatever I do they seem to be able to access ALL interfaces.

Here is the ACS 4.1 setup

Unmatched Commands = DENY

configure=permit terminal

interface=permit FastEthernet 0/0

service-policy=permit input testpolicy

Permit Unmatched Args is also OFF (unticked).

Other commands are blocked OK.

Appreciate any help,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jhillend Mon, 01/05/2009 - 09:59
User Badges:
  • Bronze, 100 points or more

Please run debug on the network device:

debug aaa authorization

debug tacacs authorization

This may give us a clue.


This Discussion