I am configuring command authorization for our FWSM and switches. I seem to have it working OKish for the FWSM but I think I´m nissing something as far as the Switches go.
I basically have a user in a group which I have configured as follows under "Shell Command Authorization Set":
I have chosen "Per Group Command Authorization" with the "Unmatched Cisco IOS commands" set to deny.
I then have the following command set specified:
Command - SHOW
On the FWSM these are the only commands that the user can use but on the Switches, all Show commands are available.
I have tried adding the following to the switches:
aaa authorization commands 0 default group Cajastur_ACS local
aaa authorization commands 1 default group Cajastur_ACS local
in addition to the following line which is always configured:
aaa authorization commands 15 default group Cajastur_ACS local
However on the switches I can still run the SHOW command with all arguments.
I must admit that I´m a bit confused too as to what checking or not checking the "Shell (exec)" option under Tacacs+ Settings will do for me. Any explanaition with regards to what this is for would also be appreciated.
The command authorization is working to a degree as I cannot enter config mode on the switches unless I specifically specify it on the ACS server. It´s really the granularity on the SHOW command that I´m after and an understanding of what the "Shell (exec)" option is needed for.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :