Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Need to restrict certain commands for TACACS+ users

I have a tacacs+ server and i need to create a group where a user can only work on the interface paramaters and deny other commands. For example i dont want the user to use "sh run" or "sh start" but can use the "sh interface" command.

And also allow him to issue "conf t" ,command ,but need to restrict only to the interface and deny any thing else.

Can you send me some examples with this.

One more thing should i create two groups one for CATOS and IOS or can i club both commands in a single group


Re: Need to restrict certain commands for TACACS+ users


I feel you are looking something inline with different privilege levels for different set of users.

In which you have the advantage of assisigning different command executing acess to different privilege levels..

AFAIK issuing config level commands and issuing show run can only work in EXEC Privilege level which is 15 in other mode i dont think you can give access to work with the configurations.But you can very well give the permissions to view the configs and clear the counters to the privilege levels..

do find this link for more info on the same..


Community Member

Re: Need to restrict certain commands for TACACS+ users

thanks for the links,

but i cant see any example which will allow me to create my own group with permit and deny commands for pri level of 15.

All i want is , one group can change the interface settings and should have the ability to save the config. But they should not be able to issue a sh run or any other command other than the allowed in the list.

I will appriciate if some one can give me some examples. The current one which i have allows a user to issue a sh conf command in a CATOS system even though my configuraton on the tacacs server denies that and also its not allowing the user to issue a conf t command, it denies saying command authorisation failed.

I'm sure it should be the configuration .Dont know where i'm doing wrong :(

Community Member

Re: Need to restrict certain commands for TACACS+ users

You can use a single group for the users - reason being here is that a user can only inherit from a single group. I personally would stay away from apply commands under the user profile - rther the group.

In the group under the section "Shell Command Authorization Set" choose "Per Group Command Authorization" and choose deny for unmatched commands.

What you then have to do is check the box next to command and enter configure. Under arguments enter permit terminal.

The only problem is that you have to enter a command at a time and then submit and go back into the group and add the second time.

Community Member

Re: Need to restrict certain commands for TACACS+ users


i use the free TACACS+ server from cisco, all i use is a user file which contains the various groups in that file. I dont have a menu based system where i can add those commands, i have seen that in Cisco ACS but not here :(

The router or the switch reads information from that file only.

I dont know how to add these commands via the CLI in this file meaning i dont the exact syntax of adding these commands you mentioned.

I have one group which has a default permit any working fine,

the issue is with this group only where some commands work which i dont want to work and some dont work which i want to work :(

I will appriciate a example with the syntax.

For example my files shows like this

cmd = show { deny "config" }

cmd = show { deny "run" }

cmd = show { deny "start" }

cmd = show { permit ".*" }

cmd = enable { permit ".*" }

i dont whether is correct or not,but users logged into catOS are able to issue sh conf command :(

but at the same time users logged into IOS are not able to issue sh run or sh conf and denies them command authorisation failed.

This is what i want ,but one is allowed in catos and denied in IOS and hence i'm confused for the same user.

can you help me to fix this so that i dont want any user to issue sh conf in CATOS as well.

Also i want to limit the user in IOS to change the interface parameters only which is currently denied.

Also send me some links so that i can do some research on that.

CreatePlease to create content