Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.1 Shell command Authorization set - VLAN configuration

I am looking to limit certain users on which VLANs they can set on switch ports.  I have the following configured on the command "switchport":

 

deny access vlan 11
permit access vlan 10
permit access vlan 13
permit access vlan 40
permit access vlan 50
permit access vlan 60
permit access vlan 101

 

But it is still allowing "switchport access vlan 11" to be a viable command on that group.  I do not have "permit unmatched args" checked and I have the "Unmatched Commands" set to deny.  It's as if the "switchport access" portion is being acknowledged but the rest is ignored.  Can you only put a single argument per command?  If that is the case, I tried adding a command of "vlan" and limiting it similarly to deny 11 and allow the rest, but that also didn't work.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Since you already have

Since you already have "unmatched commads" set to DENY and "permit unmatched args" is uncheceked than you don't need explicit "deny access vlan 11". Can you remove it from there and try again.

In case it doesn't work, please get following information:

debug aaa authen

debug aaa autho

debug tacacs

Login to ACS > reports and activities > tacacs administration > check what format of the command coming there.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

Since you already have

Since you already have "unmatched commads" set to DENY and "permit unmatched args" is uncheceked than you don't need explicit "deny access vlan 11". Can you remove it from there and try again.

In case it doesn't work, please get following information:

debug aaa authen

debug aaa autho

debug tacacs

Login to ACS > reports and activities > tacacs administration > check what format of the command coming there.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
New Member

Ahh gezz, I found the problem

Ahh gezz, I found the problem after doing the debugs - some of my AAA configuration was missing from the particular switch I was having an issue with.

Thanks for the reply though.  Wouldn't have known the right debugging to try so that helps for future troubleshooting.

Cisco Employee

No worries. Keep posting.

No worries. Keep posting.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
55
Views
0
Helpful
3
Replies
CreatePlease to create content