Recently, a couple of our help desk people were asking for access to some of our branch network equipment so that they can look at interface counters, etc. for troubleshooting without escalating to the engineers. I agreed that it would be okay to give access to commands such as, Âshow ip interface briefÂ, Âshow interfaceÂ, and Âclear countersÂ. I want to deny commands such as Âshow running-configÂ and ÂconfigureÂ.
I have setup shell command authorization in every possible way (user level, group level, creating shell command authorization sets, per NDG etc.) and I cannot get them to work. I have read through many docs on CiscoÂs website and IÂm still unable to get this to work. I suspect there may be some AAA settings on the devices that may be overriding the ACS settings, but IÂm not sure. IÂm relatively new at configuring ACS and IÂve run out of ideas. Any suggestions?