HI
I am configuring command authorization for our FWSM and switches. I seem to have it working OKish for the FWSM but I think I´m nissing something as far as the Switches go.
I basically have a user in a group which I have configured as follows under "Shell Command Authorization Set":
I have chosen "Per Group Command Authorization" with the "Unmatched Cisco IOS commands" set to deny.
I then have the following command set specified:
Command - SHOW
Arguments -
permit clock
permit route
permit access-list
permit run
On the FWSM these are the only commands that the user can use but on the Switches, all Show commands are available.
I have tried adding the following to the switches:
aaa authorization commands 0 default group Cajastur_ACS local
aaa authorization commands 1 default group Cajastur_ACS local
in addition to the following line which is always configured:
aaa authorization commands 15 default group Cajastur_ACS local
However on the switches I can still run the SHOW command with all arguments.
I must admit that I´m a bit confused too as to what checking or not checking the "Shell (exec)" option under Tacacs+ Settings will do for me. Any explanaition with regards to what this is for would also be appreciated.
The command authorization is working to a degree as I cannot enter config mode on the switches unless I specifically specify it on the ACS server. It´s really the granularity on the SHOW command that I´m after and an understanding of what the "Shell (exec)" option is needed for.
All comments greatly appreciated.