Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1912
Views
0
Helpful
2
Replies

Command Authorization (Switches & CS-ACS 2.6 W2k)

thethmon
Level 1
Level 1

‎02-18-2003 11:24 AM - edited ‎03-10-2019 07:09 AM

I want to be able to restrict users to certain commands on my Access Layer switches. I can do all but the "set vlan" command set. I need to be able to allow these users to 'set vlan <vlan number> <mod/slot>" but not do any other set vlan commands. For example, in my ACS config I have 'deny vlan mtu'. However, if the user were to type 'set vlan 1 mtu' it would be allowed. Is there a way in CS-ACS v2.6 W2k to handle this situation?

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎02-20-2003 08:25 PM

Hmmm, interesting. I think you'd have to add each vlan number in as part of the command, so do something like:

deny vlan 1 mtu

deny vlan 2 mtu

.......

and so on. Bit of a pain if you have hundreds of VLAN's. I can't see any other way around this though, since the vlan number is sent as part of the command to the ACS server, just like the word "mtu" is part of the command.

0 Helpful

thethmon
Level 1
Level 1
In response to gfullage

‎02-21-2003 06:40 AM

Not what I wanted to hear, but what I suspected to be the case. I will get my account team to file some PERS on this as this is an obvious hole in command authorization that needs to be filled.

0 Helpful
Customers Also Viewed These Support Documents