01-29-2003 07:03 AM - edited 03-10-2019 07:07 AM
I have CiscoSecure ACS v3.0, I have 3 groups setup on it...
I want to give one of my groups ReadOnly Access to all the routers. What I want to do is stop them from using "Config T" command ONLY...
If they can't use that command they cann't change any thing, but still be able to look around....
Any ideas how can I do this...
Thanks
Rajeev
01-29-2003 09:06 AM
Configure your higher level group that is allowed to access config mode with privilege level 15. Then turn on command authorization for privilege level 15 users. It is a good idea to create a local account with privilege level 15 as a backup in case there is a connection issue between CS and the devices.
aaa new-model
aaa authentication login default tacacs+ local
aaa authorization exec default tacacs+ local if-authenticated
aaa authorization commands 15 default tacacs+ local if-authenticated
username foo privilege 15 password bar
Since config is a privilege level 15 command by default, all groups without this privilege will not be allowed this command. The group you assign priv 15 to will be taken into config mode by default as part of exec authorization.
If your connection CSNT goes down or you receive an ERROR during negotiation for issues like a mismatched key, then you will go to the local account.
01-29-2003 01:51 PM
Thanks for the info.
After trying few things, I was still having problems... but was able to get all of it working...
If possible...
right now I have given ReadOnly users privilege 15, and under "Shell Command Authorization Set" I could only get it to work with "Per Group Command Authorization" and Permit "Unmatched Cisco IOS commands" then under command I put "configure" w/ unlisted arguments as Deny. I did the same for "Copy" and "write" now the users can't do "Config T" or "copy ..." or "write" commands....
What I want to do is put all of these commands in a group, and then apply them to this group.
Thanks again for all the help...
-Rajeev
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: