I'm running ACS 5-1-0-44-3.
I have everything running properly on ACS 5.1. I'd like to implement command sets for selected users and groups. Under Access Policies -> Device Admin-> Authorization I have Command Sets selected. The cisco provided is DenyAllCommands. I have this command set running on all groups and every groups is still able to issue any command they wish. I've also created a "show_only" command set that I've issued one group and they are still able to do conf t or any other command.
Am I missing something?
Do you need to reference the command set name under the shell profiles?
Its my understanding that all you have to do is reference it in "Authorization" in the rules under Device Admin.
I can understand a custom command set not working because of user error but DenyAllCommands should work.
Anyone have any ideas?
I have already re-patched the ACS
Stopped and started services.
And it seems like Command Sets is the only not referenced in the logs