Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ACS and AAA deny statements

I have 1 Windows box running ACS and four 7505 routers configured with AAA commands. Authentication is working fine on the routers via the ACS server. Now I need to deny certain commands like "DEBUG" to certain users without taking off their administrative rights. How can I achieve this?

1 REPLY
Silver

Re: ACS and AAA deny statements

Hi

there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.

In ACS create some groups based on the permissions levels each group should have.

In the groups enable the shell (exec) service.

At this point you can either list the denied commands for certains groups right in the group edit page itself.

Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)

Its all there in the ACS docs!

Good luck.

132
Views
0
Helpful
1
Replies
CreatePlease to create content