Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Command Authorization

I have ACS solution engine, I have applied a command authorization set on user, below mention is command authorization set

show command

permit version

permit aaa

permit config

permit interface

permit xlate

permit nat

permit global

permit access-list

permit route

permit ip route

permit vlan brief

permit ping

Clear command

permit version

permit aaa

permit config

permit interface

permit xlate

permit nat

permit global

permit access-list

permit route

permit ip route

permit vlan brief

enable command

permit ping

now problem is that user is able to login successfully, and goes to enable mode, but from neither mode he is able to ping the network.

though i have allowed the ping command, but user getting error

ping 172.28.95.2

Command authorization failed

I want to allow the user to ping anywhere in the network.

Please tell me how to do that.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Command Authorization

It should be

configure----> on the left box

permit terminal ---> on the right box.

4 REPLIES

Re: Command Authorization

To allow ping , this is how command set should be configured.

See attachment

Regards,

~JG

New Member

Re: Command Authorization

It was not working as mentioned in the attachement, I changed it to to different way as shown in the snapshot, it is working now.

Please tell me one more thing, if i want user to even allow configure terminal, how to do that, i tried as mentioned in the snapshot but not working, I want user to go into configure terminal but i will only allow the commands that i mentioned in the show command set.

Please tell me how to do that.

Re: Command Authorization

It should be

configure----> on the left box

permit terminal ---> on the right box.

Re: Command Authorization

Waseem, have a look at the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

The best option is to turn on the following debugs on the router and then enable the appropriate commands in ACS (as sometimes router is sending strange characters like etc)

debug aaa authorization

debug tacacs

Regards

Farrukh

444
Views
0
Helpful
4
Replies
CreatePlease login to create content