Command Sets not working on ACS 5.1

Answered Question
Aug 12th, 2010

I'm running ACS 5-1-0-44-3.

I have everything running properly on ACS 5.1.  I'd like to implement command sets for selected users and groups.  Under Access Policies -> Device Admin-> Authorization I have Command Sets selected.  The cisco provided is DenyAllCommands.  I have this command set running on all groups and every groups is still able to issue any command they wish.  I've also created a "show_only" command set that I've issued one group and they are still able to do conf t or any other command.

Am I missing something?

Do you need to reference the command set name under the shell profiles?

Its my understanding that all you have to do is reference it in "Authorization" in the rules under Device Admin.

I can understand a custom command set not working because of user error but DenyAllCommands should work.

Anyone have any ideas?

I have already re-patched the ACS

Stopped and started services.

And it seems like Command Sets is the only not referenced in the logs

I have this problem too.
0 votes
Correct Answer by Przemyslaw Konitz about 6 years 3 months ago

paste AAA config from your router and check in aaa tacacs+ authorization whether commands are verified and so on.

regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Przemyslaw Konitz Fri, 08/13/2010 - 05:20

paste AAA config from your router and check in aaa tacacs+ authorization whether commands are verified and so on.

regards

adam benigar Tue, 08/17/2010 - 06:10

I am able now to deny/permit certain commands like show, conf t, etc.  Basically any command following #.  I'm now having a problem denying command after conf t.  I want to allow access to the fastethernet interfaces but deny serial interfaces.

If I DENY "interface" under the Command column it doesn't work.  I can still access all interfaces.

adam benigar Tue, 08/17/2010 - 06:37

Got it working.

I was missing the "aaa authorization config-commands" command on the router.

Thanks for yout help

Przemyslaw Konitz Tue, 08/17/2010 - 06:56

I do it a lot 

could you paste screnshot of your command set?

I've recently met another issue,

with my command set definition as below (as you can see its very simple):

almost every show is blocked (as suspected) but not "show run" (which is strange for me)

adam benigar Tue, 08/17/2010 - 07:07

I've got it working like a charm now.  I'm not sure if you saw my previous post.  I was missing the command "aaa authorization config-commands" on my routers.

Actions

This Discussion