×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Deny access to Commands.

Unanswered Question
Jan 29th, 2003
User Badges:

I have CiscoSecure ACS v3.0, I have 3 groups setup on it...


I want to give one of my groups ReadOnly Access to all the routers. What I want to do is stop them from using "Config T" command ONLY...


If they can't use that command they cann't change any thing, but still be able to look around....


Any ideas how can I do this...


Thanks

Rajeev


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
4brown Wed, 01/29/2003 - 09:06
User Badges:

Configure your higher level group that is allowed to access config mode with privilege level 15. Then turn on command authorization for privilege level 15 users. It is a good idea to create a local account with privilege level 15 as a backup in case there is a connection issue between CS and the devices.


aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local if-authenticated

aaa authorization commands 15 default tacacs+ local if-authenticated


username foo privilege 15 password bar


Since config is a privilege level 15 command by default, all groups without this privilege will not be allowed this command. The group you assign priv 15 to will be taken into config mode by default as part of exec authorization.


If your connection CSNT goes down or you receive an ERROR during negotiation for issues like a mismatched key, then you will go to the local account.





rajeev.gupta Wed, 01/29/2003 - 13:51
User Badges:

Thanks for the info.


After trying few things, I was still having problems... but was able to get all of it working...


If possible...

right now I have given ReadOnly users privilege 15, and under "Shell Command Authorization Set" I could only get it to work with "Per Group Command Authorization" and Permit "Unmatched Cisco IOS commands" then under command I put "configure" w/ unlisted arguments as Deny. I did the same for "Copy" and "write" now the users can't do "Config T" or "copy ..." or "write" commands....


What I want to do is put all of these commands in a group, and then apply them to this group.


Thanks again for all the help...

-Rajeev

Actions

This Discussion