I am trying setup a command set for an identity group that will allow very specific commands on particular access switches. Namely, sho conf, conf t, int fa0/1-x, speed x, duplex x, shut, no shut, end, wr mem, exit.
I have created a identity group and an internal test user account in that identity group. I've created a command set with the following (just to start) commands authorized.
I've added a policy to allow users from this identity group access to access switches at this test location using the privilege "15" shell profile and the above command set.
I can execute "show conf" and "conf t" ok from enable. All other commands at this level are denied as they should be.
However, once I get into config mode, I can pretty much run any command without it being checked against the configured policy/command-set. At least it doesn't appear it is because I see nothing (pass or fail) in the authorization log.
Anyone have any idea why once in "conf t" mode all commands are allowed despite these commands not being specified in the command set? This is a C3548-XL running 12.0.5.WC13...