Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

deny "configure terminal" with exec and acs3.1 tacacs

Hi,

I want to deny "configure terminal" command for some of my users, how can I do that with ACS3.1 and "aaa" ?

thanks

Ozlem

4 REPLIES
Community Member

Re: deny "configure terminal" with exec and acs3.1 tacacs

all you want to do is create a profile for those users whom you want to deny in your tacacs server, in that profile,

cmd= configure {

deny " terminal"

}

also make sure that you configure routers/switches to do a command level authorisation so that it will look for the user from tacacs server and deny that command as your tacacs denies that.

for more information and reading refer this link.

http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml

Community Member

Re: deny "configure terminal" with exec and acs3.1 tacacs

Hi,

I need to do a very similar thing on windows acs 3.6. i need users to be able to modify ethernet interfaces (shut and unshut) but nothing else.

Any help appreciated.

Community Member

Re: deny "configure terminal" with exec and acs3.1 tacacs

you can do this ,just create a group called users or whatever you want.

in that configuration window, ensure that except for the allowed commands others are denied.

Then in the command box

add the following

clear

configure

interface

shutdown

no.

Now for each corresponding command, just add the commands you want to allow, for example, for the command, clear, allow only counters, so that only clear counters will work and nothing else will.

similarly, under configure,allow only terminal, so that only conf t works

for interface, allow all unmatched arguments, select that. this will a user can connect to change all interfaces like fast ethernet or serial or giga, else you need to specify them to further restrict.

finally you need to allow wr mem command to allow them to save the config incase you want, else leave that as well :)

Community Member

Re: deny "configure terminal" with exec and acs3.1 tacacs

Hi,

must there be any other settings for the user or group like privilege level in the sections

TACACS+ Enable Control or

TACACS+ Settings ( shell (exec) ?, what privilege level?)

758
Views
0
Helpful
4
Replies
CreatePlease to create content