I am trying to give a user access to a single user mode command on a switch (show interfaces). I want to deny him from entering Exec mode altogether. The switch is configured as:
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
In CSACS v5.1 the user's shell profile has a default privilege of 1 and a maximum privilege of 1. His command set permits show interfaces and I explicity deny Show (no arguments) and Enable (no arguments). In user mode everything works fine; the user can only execute Show Interfaces. But, he is able to enter Enable to get to Exec mode, and when in exec mode he can enter any exec-level command (but user level commands are still restricted).
I thought just configuring his maximum privilege at 1 would have worked. Can anyone help out?
You need to put this command
aaa authorization commands 15 default group tacacs+ if-authenticated
Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.
Do rate helpful posts!