02-17-2003 10:17 PM - edited 03-10-2019 07:09 AM
I have a MSFC with the following configuration.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
I have a ACS v3.0 running on NT.
I have setup an advanced TACACS+ option in the ACS that can enable privilege for users. But however, the user can still login to the MSFC and issue "enable" command.
Is there a better way on the ACS to deny a certain user from executing the "enable" command so that he cannot goto enable mode even though he may have the secret password which is set in the MSFC.
Thanks
David
Solved! Go to Solution.
02-20-2003 01:49 PM
David
You can do command authorization and deny that command 'enable'.
So on the router you will have :
aaa authorization commands 0 default group taca local
On the ACS, for that user, under the command authorization, add the command as enable, arguments ' deny . '. Make sure you also have unlisted arguments denied.
Once command authorization had been enabled on the router, every user will be checked for authorization . So for the other users , on the ACS box, make sure you have -Unmatched Cisco IOS commands set for Permit and also Unlisted arguments set for Permit.
Make the changs on the ACS first and then add the config on the router.
Thanks
Nisha
02-20-2003 01:49 PM
David
You can do command authorization and deny that command 'enable'.
So on the router you will have :
aaa authorization commands 0 default group taca local
On the ACS, for that user, under the command authorization, add the command as enable, arguments ' deny . '. Make sure you also have unlisted arguments denied.
Once command authorization had been enabled on the router, every user will be checked for authorization . So for the other users , on the ACS box, make sure you have -Unmatched Cisco IOS commands set for Permit and also Unlisted arguments set for Permit.
Make the changs on the ACS first and then add the config on the router.
Thanks
Nisha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide