trackme Wed, 01/25/2006 - 00:56
User Badges:

all you want to do is create a profile for those users whom you want to deny in your tacacs server, in that profile,


cmd= configure {

deny " terminal"

}


also make sure that you configure routers/switches to do a command level authorisation so that it will look for the user from tacacs server and deny that command as your tacacs denies that.


for more information and reading refer this link.

http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml


lstrauch Wed, 02/22/2006 - 09:09
User Badges:

Hi,


I need to do a very similar thing on windows acs 3.6. i need users to be able to modify ethernet interfaces (shut and unshut) but nothing else.


Any help appreciated.

trackme Thu, 02/23/2006 - 00:42
User Badges:

you can do this ,just create a group called users or whatever you want.


in that configuration window, ensure that except for the allowed commands others are denied.


Then in the command box


add the following


clear

configure

interface

shutdown

no.


Now for each corresponding command, just add the commands you want to allow, for example, for the command, clear, allow only counters, so that only clear counters will work and nothing else will.


similarly, under configure,allow only terminal, so that only conf t works


for interface, allow all unmatched arguments, select that. this will a user can connect to change all interfaces like fast ethernet or serial or giga, else you need to specify them to further restrict.


finally you need to allow wr mem command to allow them to save the config incase you want, else leave that as well :)

schmidta Tue, 02/28/2006 - 00:26
User Badges:


Hi,


must there be any other settings for the user or group like privilege level in the sections

TACACS+ Enable Control or

TACACS+ Settings ( shell (exec) ?, what privilege level?)

Actions

This Discussion