TACACS+: How do you limit the 'show ?' output for a user?

Answered Question
Aug 5th, 2010

Hello,

On my TACACS+ server, I would like to set up a user so that when they do a 'show ?' command, it will only list the commands that they are allowed to do, instead of the entire list. I searched all over and couldn't find any info on this. Does anyone know if this is possible? If so, how do you do it?

Thanks,

neocec

Correct Answer by skalaven about 6 years 6 months ago

privilege configure level 5 ip route
privilege exec level 5 configure


aaa new-model
!
!
aaa authentication login t-authen group tacacs+ local
aaa authentication login no-authen none
aaa authorization console
aaa authorization exec t-author group tacacs+
aaa authorization exec no-author none
aaa authorization commands 5 t-author group tacacs+
aaa authorization commands 15 t-author group tacacs+


ACS config:

shell command authorization set

Give name

Add show on the left column and add the show commands you would like to permit on the right colum

Go to the user Advanced TAcacs settings MAx priv for any client set to 5


Under Tacacs settings Check the Shell (exec) check box

privilege level 5

Assign the shell command authorization set

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
skalaven Sat, 08/21/2010 - 13:02

privilege configure level 5 ip route
privilege exec level 5 configure


aaa new-model
!
!
aaa authentication login t-authen group tacacs+ local
aaa authentication login no-authen none
aaa authorization console
aaa authorization exec t-author group tacacs+
aaa authorization exec no-author none
aaa authorization commands 5 t-author group tacacs+
aaa authorization commands 15 t-author group tacacs+


ACS config:

shell command authorization set

Give name

Add show on the left column and add the show commands you would like to permit on the right colum

Go to the user Advanced TAcacs settings MAx priv for any client set to 5


Under Tacacs settings Check the Shell (exec) check box

privilege level 5

Assign the shell command authorization set

Actions

This Discussion