Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ACS shell authorization

IS it possible to configure shell authorization when the privelege level is set to anything less than 15

What i am doing right now is configuring a level 15 access and restricting the commands through shell sets. When i try to assign any other privelege level it doesn't seem to work.

HTH

Narayan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS shell authorization

Narayan,

Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.

So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.

After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.

Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.

Hope this helps

8 REPLIES
Bronze

Re: ACS shell authorization

hi

are you using auth-proxy or what ??

as i know for auth-proxy you cannot use another level under 15 the only allowed is

that only (permit) statement and (any) as the source, and for the level is 15

proxyacl#1=permit any

.

.

.

PRIVLVL=15 (under the argument area..)

HTH

Plese do rate if it does help

Cisco Employee

Re: ACS shell authorization

Narayan,

Even if you define a privilege level less then 15 on the device and apply command authorization on that level, you will need to reduce the privilege level of the commands which you need to execute on the lower privilege level.

After reducing the privilege level of selected commands on the device, applying command authorization will be a waste.

Re: ACS shell authorization

Vivek,

I am probably confused with your post.

What i want to achieve is something like this.

Say i want to restrict one group to just the following command

Sh ip int brief

sh int

ping

I dont want to assign a privilege level of 15 to this group and then restrict, what i want is to assign a privilege say 5 or 10 and then restrict

Can this be done

Narayan

Cisco Employee

Re: ACS shell authorization

Narayan,

Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.

So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.

After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.

Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.

Hope this helps

Re: ACS shell authorization

Thanks Vivek,

It would be a burden to configure the commands on each devices(i have about 700).

I think its better to assign priv 15 and restrict.

BTW is there any document which can show the commands and their associated privilege levels?

Narayan

New Member

Re: ACS shell authorization

Narayan,

I am looking to do the same as you are. Please post if you have found a solution.

Thanks,

Harton

Cisco Employee

Re: ACS shell authorization

Narayan,

I could find any document but you can go to level one prompt of any IOS device and check the commands available. All the rest are level 15 commands.

Re: ACS shell authorization

Thanks Vivek for the answer.

Harton, i didn't find any easier way other than allowing a priv 15 access and restrict them with shell authorization.

HTH

Narayan

123
Views
0
Helpful
8
Replies