ACS 5.1 - Command Line Filters not working in Config Mode

Answered Question
Apr 18th, 2010
User Badges:


I am trying to set up command line filters to deny sniffer commands being entered. I have setup a Command Set and applied it to an Authorization Policy. The command filter works fine for commands in privileged mode. However, the filter doesn't work for any command that is entered in Config mode.

For a test I have setup a Command Set that will deny:

show clock

terminal length

show monitor

remote span

monitor session

The first three command are entered from the initial privilege mode and they are failed by the ACS. The last two commands can only be entered in config mode and the ACS does not stop them being entered.

I have attached two screenshots which show the Command Set configuration on the ACS and a Terminal session which commands are filtered and which are let through.

Has anyone else come across this problem? Is there something else I should be adding to the Command Set? Is this a bug?

There is a bug on the Cisco Website which relates to command filters:

I do not know if this bug applies to this issue as there is so little information on it. Also, if it does apply I do not understand the workaround to apply it to this situation.

Any advice would be greatly appreciated. - (ACS Version

Cheers Dave

Correct Answer by Javier Henderson about 7 years 2 months ago

Do you have authorization for configuration mode on the router?

If not, add:

aaa authorization config-commands

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Javier Henderson Mon, 04/19/2010 - 09:35
User Badges:
  • Cisco Employee,

Do you have authorization for configuration mode on the router?

If not, add:

aaa authorization config-commands

rodmunch999 Mon, 04/19/2010 - 17:56
User Badges:

Thanks Javier that works a treat. We already had the following authorization commands in the aaa config:

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

The documentation stated that "Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level" we though we already had the config commands covered. I guess not.

Many Thanks



This Discussion