ACS 5.1 command-sets

Unanswered Question
Sep 13th, 2010

Hello -

I am trying setup a command set for an identity group that will allow very specific commands on particular access switches.   Namely, sho conf, conf t, int fa0/1-x, speed x, duplex x, shut, no shut, end, wr mem, exit.

I have created a identity group and an internal test user account in that identity group.   I've created a command set with the following (just to start) commands authorized.

sh*  conf*

conf* t*

I've added a policy to allow users from this identity group access to access switches at this test location using the privilege "15" shell profile and the above command set.  

I can execute "show conf" and "conf t" ok from enable.   All other commands at this level are denied as they should be.

However, once I get into config mode, I can pretty much run any command without it being checked against the configured policy/command-set.   At least it doesn't appear it is because I see nothing (pass or fail) in the authorization log. 

Anyone have any idea why once in "conf t" mode all commands are allowed despite these commands not being specified in the command set?  This is a C3548-XL running 12.0.5.WC13...

Thank You

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


I believe you will need to ensure that accounting is activated on the device and pointed towards the ACS.  Additionally, you will need to ensure that you have included something like . . .

aaa authorization config-commands

on the device.  It's this little statement that cause the device to send the commands beyond a "conf t" to the AAA server.  Otherwise, it doesn't do anything after conf t.

Hope this helps,



This Discussion