Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How do I restrict a user to do only one command in a router?

ACS version 3.2 running on the ACS appliance. I want a user to be able to TACACS into a router and run 'reload' only. I've set this user up with these parameters

1. Under 'Define max Privilege on a per network device group basis' I assign level 15 to device group call Cisco-routers.

2. Then under TACACS+ Settings, 'Per Group Command Authorization' I click on these settings:

2a. 'Unmatched Cisco IOS commands' click DENY

2b. Click on 'Command'

2c Type 'reload' in command box

2d. There are no 'Arguments' and I click DENY on 'Unlisted arguments'

Well user can log into the router, get into Enable mode and do any command, not just the RELOAD cammand as specified.

What do I need to do to restrict this user in Enable mode to just issues the RELOAD command?

5 REPLIES
Bronze

Re: How do I restrict a user to do only one command in a router?

Have you enabled command level aaa authorization on the router and applied it to the appropriate admin line(s)?

Community Member

Re: How do I restrict a user to do only one command in a router?

Here are my AAA commands in the router. Is this what you are asking? (I'm not sure what you mean by

'...applied it to the appropriate admin line(s)?'

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login vty line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

Bronze

Re: How do I restrict a user to do only one command in a router?

It looks to me like you need an authorization config. Something like:

aaa authorization exec acs group acs local

and

aaa authorization commands 15 default group tacacs+ none

Community Member

Re: How do I restrict a user to do only one command in a router?

Thanks. Whatever these commands do, they did the trick. Do you have a good AAA configuration guide that would explain all the AAA commands??

Bronze

Re: How do I restrict a user to do only one command in a router?

217
Views
5
Helpful
5
Replies
CreatePlease to create content