hi all, can i filter priv 15 configuration commands using ACS 3.3 ?. Suppose i want
"interface tunnel" command to be filtered so that any of my user in priv 15 is not able to use this command !!
is this possible using acs 3.3 ?
Trick here is to give all user a priv 15 and then define command authorization set as per your need.
Giving priv 15 does not mean that user will able to execute all commands. You can set up authorization set and allow only specific commands you want user should be able to execute.
This is what you need on IOS device,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
On acs bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Please see this link,
Do rate helpful posts