Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.3 Shell Command Authorization Sets

I need help on the Authorization Set. I have the following currently configured.

clear permit port-security dynamic

permit port-security all

permit port-security sticky

permit mac-address-table dynamic

Configure permit terminal

end

exit

show permit port-security

permit mac-address-table

permit interfaces status

permit interfaces stats

permit running-config interface FastEthernet

permit ver

switchport permit port-security

write permit memory

permit network

copy running-config startup-config

everything seems to work fine. For example you can not do a show running config.

my problem is the conf t. Once you in you can do any commands you want ie. "int fax/x/x" "switchport access vlan XX"

I tried different interface permit commands and still can not restrict commands.

None of the permit unmatched commands are checked.

What I would like is to permit interaface commands for port security commands, but not allow shut or no shut. etc.

4 REPLIES

Re: ACS 3.3 Shell Command Authorization Sets

Have you turned on:

aaa authorization config-commands

Regards

Farrukh

Re: ACS 3.3 Shell Command Authorization Sets

As suggested by Faruk, it seems it is not checking for authorization in config t mode that is why you are able to execute all commands.

Please add

aaa authorization config-commands

Above command will enable authorization for config t mode.

Regards,

~JG

Community Member

Re: ACS 3.3 Shell Command Authorization Sets

that fixed it. thanks.

Re: ACS 3.3 Shell Command Authorization Sets

Its great to know you have it working now. :)

Please rate helpful posts to increase the utility of this information for future readers.

Regards

Farrukh

365
Views
8
Helpful
4
Replies
CreatePlease to create content