Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA Command Authorization


I am configuring command authorization for our FWSM and switches. I seem to have it working OKish for the FWSM but I think I´m nissing something as far as the Switches go.

I basically have a user in a group which I have configured as follows under "Shell Command Authorization Set":

I have chosen "Per Group Command Authorization" with the "Unmatched Cisco IOS commands" set to deny.

I then have the following command set specified:

Command - SHOW

Arguments -

permit clock

permit route

permit access-list

permit run

On the FWSM these are the only commands that the user can use but on the Switches, all Show commands are available.

I have tried adding the following to the switches:

aaa authorization commands 0 default group Cajastur_ACS local

aaa authorization commands 1 default group Cajastur_ACS local

in addition to the following line which is always configured:

aaa authorization commands 15 default group Cajastur_ACS local

However on the switches I can still run the SHOW command with all arguments.

I must admit that I´m a bit confused too as to what checking or not checking the "Shell (exec)" option under Tacacs+ Settings will do for me. Any explanaition with regards to what this is for would also be appreciated.

The command authorization is working to a degree as I cannot enter config mode on the switches unless I specifically specify it on the ACS server. It´s really the granularity on the SHOW command that I´m after and an understanding of what the "Shell (exec)" option is needed for.

All comments greatly appreciated.


Re: AAA Command Authorization

There shouldn't be any issues configuring the same on the FWSM. The commands are the same as on the

6.2 verison of a PIX. Please refer to the below url for the details on the aaa authorization command

CreatePlease to create content