Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Deny access to Commands.

I have CiscoSecure ACS v3.0, I have 3 groups setup on it...

I want to give one of my groups ReadOnly Access to all the routers. What I want to do is stop them from using "Config T" command ONLY...

If they can't use that command they cann't change any thing, but still be able to look around....

Any ideas how can I do this...

Thanks

Rajeev

2 REPLIES
Community Member

Re: Deny access to Commands.

Configure your higher level group that is allowed to access config mode with privilege level 15. Then turn on command authorization for privilege level 15 users. It is a good idea to create a local account with privilege level 15 as a backup in case there is a connection issue between CS and the devices.

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local if-authenticated

aaa authorization commands 15 default tacacs+ local if-authenticated

username foo privilege 15 password bar

Since config is a privilege level 15 command by default, all groups without this privilege will not be allowed this command. The group you assign priv 15 to will be taken into config mode by default as part of exec authorization.

If your connection CSNT goes down or you receive an ERROR during negotiation for issues like a mismatched key, then you will go to the local account.

Community Member

Re: Deny access to Commands.

Thanks for the info.

After trying few things, I was still having problems... but was able to get all of it working...

If possible...

right now I have given ReadOnly users privilege 15, and under "Shell Command Authorization Set" I could only get it to work with "Per Group Command Authorization" and Permit "Unmatched Cisco IOS commands" then under command I put "configure" w/ unlisted arguments as Deny. I did the same for "Copy" and "write" now the users can't do "Config T" or "copy ..." or "write" commands....

What I want to do is put all of these commands in a group, and then apply them to this group.

Thanks again for all the help...

-Rajeev

206
Views
3
Helpful
2
Replies
CreatePlease to create content