Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
1
Replies

Shell Command Authorization - Limit to single interface

serotonin888
Level 1
Level 1

‎12-29-2008 09:53 AM - edited ‎03-10-2019 04:15 PM

Hi There,

I'm new Shell Command Authorization and I'm not sure if im doing this right.. I'd like to create an authorization set to limit a user so that they can only add and remove a single policy map to a specific interface.

However, I'm having trouble limiting them to a single interface (e.g. FastEthernet 0/0). Whatever I do they seem to be able to access ALL interfaces.

Here is the ACS 4.1 setup

Unmatched Commands = DENY

configure=permit terminal

interface=permit FastEthernet 0/0

service-policy=permit input testpolicy

Permit Unmatched Args is also OFF (unticked).

Other commands are blocked OK.

Appreciate any help,

Thanks

Labels:
0 Helpful
1 Reply 1

jhillend
Level 1
Level 1

‎01-05-2009 09:59 AM

Please run debug on the network device:

debug aaa authorization

debug tacacs authorization

This may give us a clue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents