Restricting / Allowing specific config commands

Unanswered Question
Dec 17th, 2002
User Badges:

Is there a way to provide a user with configuration access on a device, but restrict the specific commands that the user can issue?

In other words let them get into config t and turn up an interface and assign an IP address, exit out, and write the change to memory - but prevent them from issuing any other commands that would modify the device config.

I would like to do this through my AAA server if possible, but will do locally if that is my only option.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Tue, 12/17/2002 - 14:11
User Badges:
  • Cisco Employee,

Sure, there's a couple of ways you can do this.

First way is to assign a specific privilege level to the user via the AAA server, then on the router assign certain commands to that privilege level ( This means adding a lot of configuration commands to your routers though.

Other way is to set up command authorization, and then add all the commands that the users can do onto the AAA server itself. You have to use TACACS for this, as Radius doesn't have this capability. You'd add the following into your router config:

> aaa authorization commands 15 default group tacacs none

and if you want them to be able to change certain parts of the config, then also add:

> aaa authorization config-commands

Then on the AAA server (I'll assume ACS NT here), under the user profile (or put these users in a specific group and change the group profile), in the TACACS section you'll see a Command Authorization section. If you want them to be able to do certain "show" commands, for example, then check the "Command" box, put "show" in the text box, the in the Arguments box put things like:

permit ip route

permit version

permit running-config

permit clock

then check the radio button to Deny Unlisted Arguments. If you hit Submit now and go back in, there'll be another box allowing you to enter anothr set of commands. Note that you need the word "permit" before all the command arguments just like I wrote above. Note also that it's easy to lock up your routerconfig doing this, but you should be able to plug into the console port and change the config back, cause command authorization is disabled on the console by default, unless you specify the hidden command:

> aaa authorization console

but this is hidden for a reason, it's dangerous to use it cause you then have no fall back.


This Discussion