Cisco Support Community
Community Member

Command Authorization (Switches & CS-ACS 2.6 W2k)

I want to be able to restrict users to certain commands on my Access Layer switches. I can do all but the "set vlan" command set. I need to be able to allow these users to 'set vlan <vlan number> <mod/slot>" but not do any other set vlan commands. For example, in my ACS config I have 'deny vlan mtu'. However, if the user were to type 'set vlan 1 mtu' it would be allowed. Is there a way in CS-ACS v2.6 W2k to handle this situation?

Cisco Employee

Re: Command Authorization (Switches & CS-ACS 2.6 W2k)

Hmmm, interesting. I think you'd have to add each vlan number in as part of the command, so do something like:

deny vlan 1 mtu

deny vlan 2 mtu


and so on. Bit of a pain if you have hundreds of VLAN's. I can't see any other way around this though, since the vlan number is sent as part of the command to the ACS server, just like the word "mtu" is part of the command.

Community Member

Re: Command Authorization (Switches & CS-ACS 2.6 W2k)

Not what I wanted to hear, but what I suspected to be the case. I will get my account team to file some PERS on this as this is an obvious hole in command authorization that needs to be filled.

CreatePlease to create content