I have everything running properly on ACS 5.1. I'd like to implement command sets for selected users and groups. Under Access Policies -> Device Admin-> Authorization I have Command Sets selected. The cisco provided is DenyAllCommands. I have this command set running on all groups and every groups is still able to issue any command they wish. I've also created a "show_only" command set that I've issued one group and they are still able to do conf t or any other command.
Am I missing something?
Do you need to reference the command set name under the shell profiles?
Its my understanding that all you have to do is reference it in "Authorization" in the rules under Device Admin.
I can understand a custom command set not working because of user error but DenyAllCommands should work.
Anyone have any ideas?
I have already re-patched the ACS
Stopped and started services.
And it seems like Command Sets is the only not referenced in the logs
I am able now to deny/permit certain commands like show, conf t, etc. Basically any command following #. I'm now having a problem denying command after conf t. I want to allow access to the fastethernet interfaces but deny serial interfaces.
If I DENY "interface" under the Command column it doesn't work. I can still access all interfaces.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...