Shell Cmd Auth Set allows to much

Unanswered Question
Jan 24th, 2009
User Badges:

I set up a Shell Command Authorization Set. I want to give someone access to enter "configure terminal" and any "mac-address-table static *" commands.

Unmatched commands: Deny

configure -> permit terminal

mac-address-table -> permit static

I built a group and assigned this shell command authorization set to it, level 15, etc.

Now when I create a test user, I can enter "configure terminal" and any other command it seems. "router ospf 21", "interface vlan 101", etc. are all ALLOWED even though I haven't listed them in my command authorization set.

Any idea what I'm missing? Thank you for any responses.

---John Holmes...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JHolmes763 Sat, 01/24/2009 - 01:26
User Badges:

Just to clarify, the issue seems to be with limiting global configuration commands. I can limit privileged exec commands easily using the Authorization Sets.

Is it not possible to limit global configuration commands once you give the user the ability to enter "configure terminal"?


cisco24x7 Sat, 01/24/2009 - 09:54
User Badges:
  • Silver, 250 points or more

Yes, it is absolutely possible. Like this:

user = test {

member = limited

login = des xxxxxxx

name = "ccie security"


group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*


not sure how cisco does it in ACS but in freeware TACACS+, that's how I do it.

JHolmes763 Sun, 01/25/2009 - 00:43
User Badges:

Thanks for the help. shell command authorization sets don't have a format like that though. I don't know if there's a way to enter permissions like that through ACS.


This Discussion