ACS command authorization - deny CatOS "set" commands

Unanswered Question
Mar 27th, 2009

Cisco Secure ACS 4.2

I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.

I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.

How do I go about setting this group up to deny set-based commands for the CatOS devices?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Fri, 03/27/2009 - 03:53


CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.

However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.

Hope that makes sense!


This Discussion