Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS - Shell Command Authorization Set

Hi

i am trying to set specific SHOW arguments for a user ,  but the user always gain access to all show arguments , please find below

privilege exec level 5 show ip route

aaa authorization commands 5 TELNET group tacacs+

aaa authorization exec TELNET group tacacs+

aaa authentication login TAC group tacacs+

tacacs-server host 10.0.0.100 key ccie-acs
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO

line vty 0 4
  password cisco
  authorization commands 5 TELNET
  authorization exec TELNET
  login authentication TAC

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS - Shell Command Authorization Set

You should use standard command authorization config on the device. The command level of show ip route you modified that is actually local to device. In your case we are testing it with tacacs.

aaa new-model
aaa authorization config-commands
aaa authorization commands 0 TELNET  group tacacs+ local
aaa authorization commands 1 TELNET  group tacacs+ local
aaa authorization commands 15 TELNET group tacacs+ local

Try with this and see how it goes.

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

Re: ACS - Shell Command Authorization Set

You should use standard command authorization config on the device. The command level of show ip route you modified that is actually local to device. In your case we are testing it with tacacs.

aaa new-model
aaa authorization config-commands
aaa authorization commands 0 TELNET  group tacacs+ local
aaa authorization commands 1 TELNET  group tacacs+ local
aaa authorization commands 15 TELNET group tacacs+ local

Try with this and see how it goes.

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ACS - Shell Command Authorization Set

Thanks Jatin it worked as you advised , but when i really need to define extra level , what tweaks or advanced secnario may require that ?

Cisco Employee

Re: ACS - Shell Command Authorization Set

By default, there are three command levels on the router:

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.

    privilege level 15 — Includes all enable-level commands at the router# prompt.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

for example show run, this command is privilege 15 command. Previously, the authorization command for 15 level was not configured on the IOS so your command set was not matching and user was able to run all the commands. Since we have configured 0,1,15 so this would now cover most of the commands.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
1354
Views
5
Helpful
3
Replies
CreatePlease login to create content