07-23-2008 06:09 PM - edited 03-10-2019 03:59 PM
I'm configuring several switches and routers for TACACS with ACS SE. I have a need to do three levels of access, the groups are as follows:
1. Normal read-only access.
2. Full access with the exception of config t.
3. Full access.
What would be the best way to achieve this goal, I can see that if I create Shell Command Authorization sets on the ACS, I can configure one for group 1 and one for group 3. But will I be able to for Group 2? Is there a way to allow all, but explicitly block one command? Following this page: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml leads me to believe that the capability may exist, but I have no way to confirm at the moment.
Solved! Go to Solution.
07-24-2008 05:45 AM
Please see the attachment.
After the implementation user will be able to do every thing except config t.
Regards,
~JG
Do rate helpful post
07-24-2008 04:46 AM
With command authorization you can control every single command that you want user should be allowed. It covers all mode, enable , user and config mode.
I will post the screen shot shortly.
Regards,
~JG
07-24-2008 05:45 AM
07-24-2008 08:49 AM
Quick follow-up question, what configuration is required on the switch/router for that functionality?
07-24-2008 09:15 AM
Here are the config required for setting up aaa authentication and authorization.
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
All the best !
Regards,
~JG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide