We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers. Here is what we did:
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly
Unmatched Commands - Deny
* this should limit the user to the show and exit command only (correct)?
3) Created a group - HelpDesk with the following TACACS+ Settings
Shell (exec) is checked
Priviledge level is check with 15 as the assigned level
Assign a Shell Command Authorization Set for any network device - selected
ReadOnly - shell command autorization set seleted
When the user logs on to the router/switch it appears that he has full access. He can enter the enable command, config terminal command, etc. All we want him to be able to do is to issue the show command.
Any help would be appreciated.
you also need to add permit for exit and dir on the permit unmatched Args.
You may check permit unmatched Args this option for exit and dir
- Do rate helpful posts -
Can you refer to this doc
and compare the config, as far you say ACS config sounds correct on the switch/router you need to have the following command also
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local