Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2016
Views
3
Helpful
2
Replies

Deny access to Commands.

rajeev.gupta
Level 1
Level 1

‎01-29-2003 07:03 AM - edited ‎03-10-2019 07:07 AM

I have CiscoSecure ACS v3.0, I have 3 groups setup on it...

I want to give one of my groups ReadOnly Access to all the routers. What I want to do is stop them from using "Config T" command ONLY...

If they can't use that command they cann't change any thing, but still be able to look around....

Any ideas how can I do this...

Thanks

Rajeev

Labels:
0 Helpful
2 Replies 2

4brown
Level 1
Level 1

‎01-29-2003 09:06 AM

Configure your higher level group that is allowed to access config mode with privilege level 15. Then turn on command authorization for privilege level 15 users. It is a good idea to create a local account with privilege level 15 as a backup in case there is a connection issue between CS and the devices.

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local if-authenticated

aaa authorization commands 15 default tacacs+ local if-authenticated

username foo privilege 15 password bar

Since config is a privilege level 15 command by default, all groups without this privilege will not be allowed this command. The group you assign priv 15 to will be taken into config mode by default as part of exec authorization.

If your connection CSNT goes down or you receive an ERROR during negotiation for issues like a mismatched key, then you will go to the local account.

rajeev.gupta
Level 1
Level 1
In response to 4brown

‎01-29-2003 01:51 PM

Thanks for the info.

After trying few things, I was still having problems... but was able to get all of it working...

If possible...

right now I have given ReadOnly users privilege 15, and under "Shell Command Authorization Set" I could only get it to work with "Per Group Command Authorization" and Permit "Unmatched Cisco IOS commands" then under command I put "configure" w/ unlisted arguments as Deny. I did the same for "Copy" and "write" now the users can't do "Config T" or "copy ..." or "write" commands....

What I want to do is put all of these commands in a group, and then apply them to this group.

Thanks again for all the help...

-Rajeev

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents