×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Users authorized commands

Unanswered Question
Jan 15th, 2003
User Badges:

I want to restrict some users to "show running-config" command.


I have created a Shell Command Authorization Set with "show" command "permit running-config". Under the TACACS+ setting the Shell (exec) is selected and Privilege level with a value of 5. The SCAS is associated to the username.


Config on a Router:

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization exec vty group tacacs+ local

aaa authorization commands 5 vty group tacacs+

...

line vty 0 4

exec-timeout 30 0

password ***Deleted****

authorization exec vty

login authentication vty



The user gets the privilege of 5 when logged in but is unable to execute the command show running-config.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
4brown Wed, 01/15/2003 - 11:34
User Badges:

sh run is a priv lvl 15 command by default. You can change it to level 5 with the:


privilege exec level 5 show running-config


command.

rrcarter79 Wed, 01/15/2003 - 12:33
User Badges:

Yes that does work, but I would rather set this up using the Shell Command Authorization Set with the ACS server.


There are many more commands to include for different users and configuring every router and switch with each command required is a very large task.


How is this done with Shell Command Authorization Sets?


Thanks

4brown Wed, 01/15/2003 - 12:43
User Badges:

Do you have:


authorization commands 5 vty


on the line vty ports? Wasn't specified in your earlier post.

4brown Wed, 01/15/2003 - 16:57
User Badges:

Try quoting "running-config"


If that doesn't work, try just permitting "run".


Pasting debug aaa authorization and debug tacacs+ may help identify the issue.

rrcarter79 Wed, 01/15/2003 - 19:28
User Badges:


Using quotes does not work. The parameters inclosed in quotes disappears.


So I tried just permit run.


I logged in with username "username".


I gain access and get a priv of 5 and a # sign prompt.


Issue a sho run and receive an error.



------ Login Session ----------

Username: username

Password:


LabrtrB#sho priv

Current privilege level is 5

LabrtrB#

LabrtrB#sho run

^

% Invalid input detected at '^' marker.


LabrtrB#



Here are the debugs:


LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): Port='tty2' list='vty' service=EXEC

Jan 15 22:11:52.728: AAA/AUTHOR/EXEC: tty2 (3878016830) user='username'

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): send AV service=shell

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): send AV cmd*

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): found list "vty"

Jan 15 22:11:52.728: tty2 AAA/AUTHOR/EXEC (3878016830): Method=tacacs+ (tacacs+)

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): user=username

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): send AV service=shell

Jan 15 22:11:52.728: AAA/AUTHOR/TAC+: (3878016830): send AV cmd*

Jan 15 22:11:52.932: AAA/AUTHOR (3878016830): Post authorization status = PASS_ADD

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Processing AV priv-lvl=5

Jan 15 22:11:52.932: AAA/AUTHOR/EXEC: Authorization successful

Jan 15 22:12:49.963: AAA/MEMORY: free_user (0x629A26BC) user='username' ruser=''

port='tty2' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1






LabrtrB#debug tacacs

TACACS access control debugging is on

LabrtrB#

Jan 15 22:13:50.599: TAC+: send AUTHEN/START packet ver=192 id=1365478173

Jan 15 22:13:50.599: TAC+: Using default tacacs server-group "tacacs+" list.

Jan 15 22:13:50.599: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

Jan 15 22:13:50.599: TAC+: Opened TCP/IP handle 0x62A8E470 to x.x.x.x/49

Jan 15 22:13:50.599: TAC+: x.x.x.x (1365478173) AUTHEN/START/LOGIN/ASCII queued

Jan 15 22:13:50.799: TAC+: (1365478173) AUTHEN/START/LOGIN/ASCII processed

Jan 15 22:13:50.799: TAC+: ver=192 id=1365478173 received AUTHEN status = GETUSER

Jan 15 22:13:53.499: TAC+: send AUTHEN/CONT packet id=1365478173

Jan 15 22:13:53.503: TAC+: x.x.x.x (1365478173) AUTHEN/CONT queued

Jan 15 22:13:53.703: TAC+: (1365478173) AUTHEN/CONT processed

Jan 15 22:13:53.703: TAC+: ver=192 id=1365478173 received AUTHEN status = GETPASS

Jan 15 22:13:55.435: TAC+: send AUTHEN/CONT packet id=1365478173

Jan 15 22:13:55.435: TAC+: x.x.x.x (1365478173) AUTHEN/CONT queued

Jan 15 22:13:55.635: TAC+: (1365478173) AUTHEN/CONT processed

Jan 15 22:13:55.635: TAC+: ver=192 id=1365478173 received AUTHEN status = PASS

Jan 15 22:13:55.635: TAC+: Closing TCP/IP 0x62A8E470 connection to x.x.x.x/49

Jan 15 22:13:55.635: TAC+: using previously set server x.x.x.x from group tacacs+

Jan 15 22:13:55.635: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

Jan 15 22:13:55.639: TAC+: Opened TCP/IP handle 0x62A8E8FC to x.x.x.x/49

Jan 15 22:13:55.639: TAC+: Opened x.x.x.x index=1

Jan 15 22:13:55.639: TAC+: x.x.x.x (305665778) AUTHOR/START queued

Jan 15 22:13:55.839: TAC+: (305665778) AUTHOR/START processed

Jan 15 22:13:55.839: TAC+: (305665778): received author response status = PASS_ADD

Jan 15 22:13:55.839: TAC+: Closing TCP/IP 0x62A8E8FC connection to x.x.x.x/49

Jan 15 22:13:55.839: TAC+: Received Attribute "priv-lvl=5"



4brown Thu, 01/16/2003 - 15:33
User Badges:

The IOS doesn't recognize the command because you are coming in at Privilege Level 5. If you don't want to use the Privilege Exec command, try this. Assign this group Privilege Level 15, and enforce authorization for priv 15:


aaa authorization commands 15 vty tacacs+

line vty 0 4

authorization commands 15 vty


Then, for this group, deny all the commands you want. sh run will be permitted since they are priv 15, but the commands you deny in the ACS will be denied.

rrcarter79 Fri, 01/17/2003 - 15:13
User Badges:


Actually I assigned the priv level 15 to the user.


router config:

aaa authorization commands 15 vty group tacacs+


line vty 0 4

exec-timeout 30 0

password 7 082C5F4B05180719171F

authorization commands 15 vty

authorization exec vty

login authentication vty


Then for the user I allow the command sho running-config. Since this is the only priv level 15 command the user can run, it shows the configuration.


So the commands don't have to be assigned to a different level. This process assigns the onyl commands the user can execute.


Understanding this now lets me customize the commands any user can execute. This is what I was wanting to do.


Thanks for the help! I have a much better understanding now.



rrcarter79 Fri, 01/17/2003 - 15:42
User Badges:

I spoke too soon.


I am not able to control the configuration commands.


For example letting a user only change description on a line.



4brown Fri, 01/17/2003 - 15:50
User Badges:

Command authorization for config mode commands needs to be permitted:


aaa authorization config-commands


If this is not enabled, once in config mode, no requests are sent to the AAA server.

rrcarter79 Fri, 01/17/2003 - 16:36
User Badges:


I've added aaa authorization config-commands to no avail.


I assume it will authorize config-commands against the command authorization set.


The only config-command that I have in the command authorization set is "location"



4brown Fri, 01/17/2003 - 16:58
User Badges:

Post debug aaa author showing it fail...

rrcarter79 Tue, 01/21/2003 - 08:57
User Badges:

Here is the login session and debug. I have allowed "config" with "permit term" and "location".


I don't want the user to access the interfaces or lines.




Login:

Unauthorized access is strictly prohibited!



User Access Verification


Username: username

Password:


LabrtrB#config t

Enter configuration commands, one per line. End with CNTL/Z.

LabrtrB(config)#line vty 0 4

LabrtrB(config-line)#ex

% Ambiguous command: "ex"

LabrtrB(config-line)#exit

LabrtrB(config)#

LabrtrB(config)#

LabrtrB(config)#end

LabrtrB#



Debug:

LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 21 11:51:02.300: AAA: parse name=tty3 idb type=-1 tty=-1

Jan 21 11:51:02.300: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jan 21 11:51:02.300: AAA/MEMORY: create_user (0x629B4624) user='' ruser='' port='tty3' rem_addr='16.47.225.189' authen_type=ASCII service=LOGIN priv=1

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): Port='tty3' list='vty' service=EXEC

Jan 21 11:51:11.960: AAA/AUTHOR/EXEC: tty3 (559394384) user='username'

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): send AV service=shell

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): send AV cmd*

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): found list "vty"

Jan 21 11:51:11.960: tty3 AAA/AUTHOR/EXEC (559394384): Method=tacacs+ (tacacs+)

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): user=username

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): send AV service=shell

Jan 21 11:51:11.960: AAA/AUTHOR/TAC+: (559394384): send AV cmd*

Jan 21 11:51:12.164: AAA/AUTHOR (559394384): Post authorization status = PASS_ADD

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jan 21 11:51:12.164: AAA/AUTHOR/EXEC: Authorization successful

Jan 21 11:51:15.188: tty3 AAA/AUTHOR/CMD (3225337257): Port='tty3' list='vty' service=CMD

Jan 21 11:51:15.188: AAA/AUTHOR/CMD: tty3 (3225337257) user='username'

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV service=shell

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd=configure

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd-arg=terminal

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): send AV cmd-arg=

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): found list "vty"

Jan 21 11:51:15.192: tty3 AAA/AUTHOR/CMD (3225337257): Method=tacacs+ (tacacs+)

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): user=username

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV service=shell

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd=configure

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd-arg=terminal

Jan 21 11:51:15.192: AAA/AUTHOR/TAC+: (3225337257): send AV cmd-arg=

Jan 21 11:51:15.392: AAA/AUTHOR (3225337257): Post authorization status = PASS_ADD

Jan 21 11:51:20.420: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:26.816: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:32.408: AAA/AUTHOR: config command authorization not enabled

Jan 21 11:51:32.408: %SYS-5-CONFIG_I: Configured from console by username on vty1 (16.47.225.189)

Jan 21 11:51:42.128: %SYS-4-SNMP_WRITENET: SNMP WriteNet request. Writing current configuration to 16.22.4.5un all


Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): Port='tty2' list='vty' service=CMD

Jan 21 11:51:48.048: AAA/AUTHOR/CMD: tty2 (1731012520) user='admin'

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV service=shell

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd=undebug

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd-arg=all

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): send AV cmd-arg=

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): found list "vty"

Jan 21 11:51:48.048: tty2 AAA/AUTHOR/CMD (1731012520): Method=tacacs+ (tacacs+)

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): user=admin

All possible debugging has been turned off

LabrtrB#

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV service=shell

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd=undebug

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd-arg=all

Jan 21 11:51:48.048: AAA/AUTHOR/TAC+: (1731012520): send AV cmd-arg=

Jan 21 11:51:48.252: AAA/AUTHOR (1731012520): Post authorization status = PASS_ADD

4brown Tue, 01/21/2003 - 09:17
User Badges:

You need to have config-command authorization as specified in the previous post so it sends commands in config mode to the aaa server for approval. Note in your post, config command authorization is not configured.


Once it is, it will send each command in config mode to be permitted or denied to the AAA server. So if you want to deny access to line or interfaces, then specify these commands denied in the server.


When you enable it, look at your debug aaa authorization, you should see if the command is allowed or denied in the authorization status. That tells you if you have configuration issues in the AAA server.

rrcarter79 Tue, 01/21/2003 - 11:00
User Badges:

- config - session - debug


allows "line vty 0 4"



aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec vty group tacacs+ local

aaa authorization exec console local

aaa authorization commands 5 vty group tacacs+

aaa authorization commands 15 vty group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+




Unauthorized access is strictly prohibited!


Username: username

Password:


LabrtrB#config t

Enter configuration commands, one per line. End with CNTL/Z.

LabrtrB(config)#line vty 0 4

LabrtrB(config-line)#end

LabrtrB#quit




LabrtrB#debug aaa authorization

AAA Authorization debugging is on

LabrtrB#

Jan 21 13:47:34.842: AAA: parse name=tty3 idb type=-1 tty=-1

Jan 21 13:47:34.842: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jan 21 13:47:34.842: AAA/MEMORY: create_user (0x629C5BEC) user='' ruser='' port='tty3' rem_addr='16.47.207.61' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): Port='tty3' list='vty' service=EXEC

Jan 21 13:47:38.362: AAA/AUTHOR/EXEC: tty3 (1080771678) user='username'

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): send AV service=shell

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): send AV cmd*

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): found list "vty"

Jan 21 13:47:38.362: tty3 AAA/AUTHOR/EXEC (1080771678): Method=tacacs+ (tacacs+)

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): user=username

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): send AV service=shell

Jan 21 13:47:38.362: AAA/AUTHOR/TAC+: (1080771678): send AV cmd*

Jan 21 13:47:38.566: AAA/AUTHOR (1080771678): Post authorization status = PASS_ADD

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV service=shell

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV cmd*

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jan 21 13:47:38.566: AAA/AUTHOR/EXEC: Authorization successful

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): Port='tty3' list='vty' service=CMD

Jan 21 13:47:40.790: AAA/AUTHOR/CMD: tty3 (1219681448) user='username'

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV service=shell

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd=configure

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd-arg=terminal

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): send AV cmd-arg=

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): found list "vty"

Jan 21 13:47:40.790: tty3 AAA/AUTHOR/CMD (1219681448): Method=tacacs+ (tacacs+)

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): user=username

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV service=shell

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd=configure

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd-arg=terminal

Jan 21 13:47:40.790: AAA/AUTHOR/TAC+: (1219681448): send AV cmd-arg=

Jan 21 13:47:40.994: AAA/AUTHOR (1219681448): Post authorization status = PASS_ADD

Jan 21 13:47:45.006: AAA: parse name=tty4 idb type=-1 tty=-1

Jan 21 13:47:45.006: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0

Jan 21 13:47:45.006: AAA/MEMORY: create_user (0x62AAF52C) user='' ruser='' port='tty4' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:45.606: AAA/MEMORY: free_user (0x62AAF52C) user='' ruser='' port='tty4' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): Port='tty3' list='vty' service=CMD

Jan 21 13:47:47.490: AAA/AUTHOR/CMD: tty3 (1403778660) user='username'

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV service=shell

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd=line

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=vty

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=0

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=4

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): send AV cmd-arg=

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): found list "vty"

Jan 21 13:47:47.490: tty3 AAA/AUTHOR/CMD (1403778660): Method=tacacs+ (tacacs+)

Jan 21 13:47:47.490: AAA/AUTHOR/TAC+: (1403778660): user=username

Jan 21 13:47:47.490: AAA/AUTHOR/TAC+: (1403778660): send AV service=shell

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd=line

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=vty

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=0

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=4

Jan 21 13:47:47.494: AAA/AUTHOR/TAC+: (1403778660): send AV cmd-arg=

Jan 21 13:47:47.694: AAA/AUTHOR (1403778660): Post authorization status = PASS_ADD

Jan 21 13:48:09.890: %SYS-5-CONFIG_I: Configured from console by username on vty1 (x.x.x.x)



4brown Tue, 01/21/2003 - 11:06
User Badges:

Note, the output shows the TAC+ server allowing the commands. Did you explicitly deny them? If so, check your configuration. I have never did this in CSNT but this is where the issue lies.



rrcarter79 Thu, 01/23/2003 - 10:39
User Badges:

I configured the commands that I want the users to be able to execute. I checked the box that deny and unmatched commands.


Commands allowed:

config - permit term

help

traceroute

ping

show

location

logout



4brown Sun, 01/26/2003 - 15:47
User Badges:

Just tested in the lab, worked fine.


I created a SCAS permitting the commands you want to permit. Unmatched commands was checked and the Permit Unmatched Arguments was not selected. The SCAS was assigned to the group.


For the location command, enter location as the command and whatever you argument you wish to permit, eg. , permit NMS.


The only difference, is I did not use a list for the vty ports, I used default. Here is my config:


aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

rbradfield Mon, 02/03/2003 - 22:12
User Badges:

I want to do something similar to what you are doing, i want to have two groups in ACS, one that has a number of users that have full access to routers and, another group that can only do a show log, version and interfaces

After messing around for some time I came here and saw that I am not alone!


Can you post the working router config


I'll buy you a cold one next time you are in Ozz

regards Richard.

4brown Tue, 02/04/2003 - 07:14
User Badges:

Hi Richard,


Assuming you already have configured your device or devices in the ACS properly, here is my recommendation:


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login NO_AUTHEN none

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 NO_AUTHOR none

username backdoor privilege 15 password

line con 0

authorization commands 15 NO_AUTHOR

authorization exec NO_AUTHOR

login authentication NO_AUTHEN



This provides you a mechanism to login with the local account if the connection to the ACS goes down or you receive an error. It also disables AAA on the console port, but that is subject to your requirements.


For the group you want to have full access, assign privilege level 15 and under Shell Command Authorization Set, click Per Group Command Authorization, Permit unmatched commands and arguments.


For the group you only want to permit the three show commands, assign privilege level 1. Under SCAS, select Per Group Command Authorization,

Deny unmatched commands and arguments. Then click command and in the block type show, then below:


permit log

permit version

permit interface


I'll hold you to that beer if I am ever in Ozz. ;-)





Actions

This Discussion