Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1524
Views
5
Helpful
5
Replies

How do I restrict a user to do only one command in a router?

jkeeffe
Level 2
Level 2

‎01-07-2004 12:56 PM - edited ‎03-10-2019 07:37 AM

ACS version 3.2 running on the ACS appliance. I want a user to be able to TACACS into a router and run 'reload' only. I've set this user up with these parameters

1. Under 'Define max Privilege on a per network device group basis' I assign level 15 to device group call Cisco-routers.

2. Then under TACACS+ Settings, 'Per Group Command Authorization' I click on these settings:

2a. 'Unmatched Cisco IOS commands' click DENY

2b. Click on 'Command'

2c Type 'reload' in command box

2d. There are no 'Arguments' and I click DENY on 'Unlisted arguments'

Well user can log into the router, get into Enable mode and do any command, not just the RELOAD cammand as specified.

What do I need to do to restrict this user in Enable mode to just issues the RELOAD command?

Labels:
0 Helpful
5 Replies 5

d.parks
Level 1
Level 1

‎01-07-2004 01:06 PM

Have you enabled command level aaa authorization on the router and applied it to the appropriate admin line(s)?

0 Helpful

jkeeffe
Level 2
Level 2
In response to d.parks

‎01-07-2004 01:13 PM

Here are my AAA commands in the router. Is this what you are asking? (I'm not sure what you mean by

'...applied it to the appropriate admin line(s)?'

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login vty line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

0 Helpful

d.parks
Level 1
Level 1
In response to jkeeffe

‎01-07-2004 01:29 PM

It looks to me like you need an authorization config. Something like:

aaa authorization exec acs group acs local

and

aaa authorization commands 15 default group tacacs+ none

jkeeffe
Level 2
Level 2
In response to d.parks

‎01-07-2004 02:00 PM

Thanks. Whatever these commands do, they did the trick. Do you have a good AAA configuration guide that would explain all the AAA commands??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents