Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA policy help

Hi All

user1 >>>GroupA & user2 >>>GroupB

Router1 >>>NDG-A & Router2 >>>NDG-B

Now,

GroupA user must have "sh run" permission on NDG-A but not on NDG-B.

GroupB user must have "sh run" permission on NDG-B but not on NDG-A.

I created two shell command authorisation set and mapped it to GroupA & GroupB. Then inside the Group, I mapped the Shell command set to NDG. Here I have two associations.

(**I have tested with single association and its working. But not not with two)

But somehow its not working.

Please help.

Regards

Bharat

3 REPLIES

Re: AAA policy help

Bharat,

You need to set up Assign a Shell Command Authorization Set on a per Network Device Group Basis

In GroupA---> Assign a Shell Command Authorization Set on a per Network Device Group Basis---->

Add NDG A<====> Allow show run set**

Add NDG B<====> Deny all***

In Group B----->Assign a Shell Command Authorization Set on a per Network Device Group Basis---->

Add NDG B<====> Allow show run **

ADD NDG A<====> Deny all***

** Command autho set allowing Only show run

*** Command author set that deny's every thing.

Please check this link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Hope that helps !

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA policy help

Hi Thanks for your reply. But this thing I have already done on ACS.

After intorducing following commands on Router, it worked.

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 2 default tacacs+ local

aaa authorization commands 3 default tacacs+ local

aaa authorization commands 4 default tacacs+ local

aaa authorization commands 5 default tacacs+ local

aaa authorization commands 6 default tacacs+ local

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 8 default tacacs+ local

aaa authorization commands 9 default tacacs+ local

aaa authorization commands 10 default tacacs+ local

aaa authorization commands 11 default tacacs+ local

aaa authorization commands 12 default tacacs+ local

aaa authorization commands 13 default tacacs+ local

aaa authorization commands 14 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

Thanks for your help

Regards

Bharat

Re: AAA policy help

We need to have these commands on the router. You never mentioned it in your orignal post.

Anyways , there is no need to put 15 line on the router. Just three will take care

i.e.

aaa authorization commands 0 default tacacs+ local

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

No need to count from 1 to 15.

Regards,

~JG

Do rate helpful posts

127
Views
3
Helpful
3
Replies