Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA with CatOS and ACS (shell command autorization set)

Hi,

I have an ACS that authenticates and authorizes IOS devices.

I use "shell command autorization set" to authorize some commands for some groups.

Is it possible to do so with CatOS?

For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?

Regards,

ROMS

5 REPLIES

Re: AAA with CatOS and ACS (shell command autorization set)

Roms,

Concept remains the same for IOS and CAT OS. You need to define command author set for cat os.

Regards,

~JG

New Member

Re: AAA with CatOS and ACS (shell command autorization set)

Hi,

Ok, and what should be the configuraio of the switches. I see there is few available command for CatOS...

Regards

Cisco Employee

Re: AAA with CatOS and ACS (shell command autorization set)

Hi,

The following command is reqd to enable command authorization on set-based switch:

set authorization commands enable [config | all] tacacs+ [deny | none] [console | telnet | both]

tnx

somishra

Re: AAA with CatOS and ACS (shell command autorization set)

Console> (enable) set tacacs server [IP] [primary]

set tacacs key [key]

set tacacs attempts [number] (optional)

set localuser user [user] password [password] privilege 15

set authentication login local enable

set authentication login tacacs enable [all | console | http | telnet] [primary]

set authorization exec enable tacacs+ [deny | none] [console | telnet | both]

set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]

regards,

~JG

Re: AAA with CatOS and ACS (shell command autorization set)

Here is the sample screen shot. Also note that CAT OS do not support local AAA fallback until version 7.5 when the 'set localuser' command was introduced.

Regards,

~JG

Do rate helpful posts

349
Views
0
Helpful
5
Replies