Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to restrict user access to Exec shell in CSACS v5.1

Hi;

I am trying to give a user access to a single user mode command on a switch (show interfaces).  I want to deny him from entering Exec mode altogether.  The switch is configured as:

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated

In CSACS v5.1 the user's shell profile has a default privilege of 1 and a maximum privilege of 1.  His command set permits show interfaces and I explicity deny Show (no arguments) and Enable (no arguments).  In user mode everything works fine; the user can only execute Show Interfaces.  But, he is able to enter Enable to get to Exec mode, and when in exec mode he can enter any exec-level command (but user level commands are still restricted).

I thought just configuring his maximum privilege at 1 would have worked.  Can anyone help out?

Thanks!  Glenn

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to restrict user access to Exec shell in CSACS v5.1



Glenn,

You need to put this command


aaa authorization commands 15 default group tacacs+ if-authenticated


Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.




Regards,

~JG


Do rate helpful posts!

2 REPLIES

Re: How to restrict user access to Exec shell in CSACS v5.1



Glenn,

You need to put this command


aaa authorization commands 15 default group tacacs+ if-authenticated


Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.




Regards,

~JG


Do rate helpful posts!

Community Member

Re: How to restrict user access to Exec shell in CSACS v5.1

Jagdeep;

Thanks, that worked great!

964
Views
0
Helpful
2
Replies
CreatePlease to create content