Different Permissions

Answered Question
Aug 19th, 2009
User Badges:

How can I set Cisco ACS to apply full level 15 access to a user when they connect to a switch, but read only access when they connect to a firewall?

Correct Answer by Erick Delgado about 7 years 11 months ago


This can be done by using command shell authorization.

Please see documentation below.


If you have any question do not hesitate to contact me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jatin Katyal Wed, 08/19/2009 - 08:36
User Badges:
  • Cisco Employee,

You can set this by using command authorization.

ACS config:


Create two NDG one for ASA client and one for switch client under network configuration.

Create two different command authorization set for

Switch = permit all

ASA = Deny all

and permit show only

Now, go the user account, scroll down to the Shell Command Authorization Set

Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map NDG with respective command authorization set.

On the ASA:


aaa authorization command LOCAL \\In order to enable command authorization\\

On the switch


aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ loca

For more info, please refer this link:


Let me know if you face any issue.




This Discussion