I am working on setting up a restricted command set on ACS 5.1 so that users can access swicthes only at designated privilege levels and hence only get access to certain commands as defined on the ACS servers.
So far I have set up a Shell Profile with Default privilege of 0, and a maximum privilege of 2. The user is authenticated using our AD servers and everything is fine and they can login to the switch and get privilege 0 access.
However I cannot work out how to restrict the commands that are available to them. I have set up a Command Set on the ACS with one command in it ("show run interface" with a wildcard argument), but the commands are not restricted on the switch and it can run some commands that they should not be able to.
I guess what I am looking for is a step-by-step guide as to what configuration needs to be on the switch and how the ACS needs to be set up. There is a lot of information on the Cisco Site, but none of it is really what I need - it tells you everything and explains nothing. I have question that need to be answered like, will the command set accept short form command (i.e. sh run int) or do they have to be word for word as the CLI, if they are defined as per the CLI, what happensif a user tries to use a short code, how do I remove or hide commands from the list when a user types ? at a prompt.
So many questions, so little time.
BTW we are using TACACS.