Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS command authorization - deny CatOS "set" commands

Cisco Secure ACS 4.2

I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.

I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.

How do I go about setting this group up to deny set-based commands for the CatOS devices?

1 REPLY
Silver

Re: ACS command authorization - deny CatOS "set" commands

Hi

CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.

However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.

Hope that makes sense!

447
Views
0
Helpful
1
Replies
CreatePlease to create content