cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1985
Views
5
Helpful
4
Replies

deny "configure terminal" with exec and acs3.1 tacacs

o_z_l_e_m
Level 1
Level 1

Hi,

I want to deny "configure terminal" command for some of my users, how can I do that with ACS3.1 and "aaa" ?

thanks

Ozlem

4 Replies 4

trackme
Level 1
Level 1

all you want to do is create a profile for those users whom you want to deny in your tacacs server, in that profile,

cmd= configure {

deny " terminal"

}

also make sure that you configure routers/switches to do a command level authorisation so that it will look for the user from tacacs server and deny that command as your tacacs denies that.

for more information and reading refer this link.

http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml

lstrauch
Level 1
Level 1

Hi,

I need to do a very similar thing on windows acs 3.6. i need users to be able to modify ethernet interfaces (shut and unshut) but nothing else.

Any help appreciated.

you can do this ,just create a group called users or whatever you want.

in that configuration window, ensure that except for the allowed commands others are denied.

Then in the command box

add the following

clear

configure

interface

shutdown

no.

Now for each corresponding command, just add the commands you want to allow, for example, for the command, clear, allow only counters, so that only clear counters will work and nothing else will.

similarly, under configure,allow only terminal, so that only conf t works

for interface, allow all unmatched arguments, select that. this will a user can connect to change all interfaces like fast ethernet or serial or giga, else you need to specify them to further restrict.

finally you need to allow wr mem command to allow them to save the config incase you want, else leave that as well :)

Hi,

must there be any other settings for the user or group like privilege level in the sections

TACACS+ Enable Control or

TACACS+ Settings ( shell (exec) ?, what privilege level?)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: