I wonder if you guys can help with something I'm trying out.
We are using CiscoSecure 3.2. At the moment all users with ACS accounts have full access to the routers/switches once they have authenticated. But we have a group of users who could do some simple stuff for us (I'm thinking of allowing them to change speed/duplex and vlans on fe interfaces on edge switches.) But I would rather they didn't have full access for obvious reasons!
So I have created a Shell Command Authorisation Set with a command of show and an arguement of permit version (I'm move on the more complex commands once I've mastered this one!) and denied unmatched commands. Within the group to which my test user belongs I have assigned my command set.
I don't think I've gone too far wrong here. But, what config do I need to apply to the network devices? At the moment while I am able to authenticate with my test user they have full and complete access once authenticated.
I've added this line:
aaa authorization commands 15 RepAccess <my command set> if-authenticated
Where am I going wrong? Any pointers gratefully received.