Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1634
Views
0
Helpful
3
Replies

[pix command authorization]

Carlos A. Silva
Level 3
Level 3

‎05-21-2003 03:59 PM - edited ‎03-10-2019 07:18 AM

hi:

i followed this link to a 't' and still i can get this thing to work

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

of course what i'm trying to achieve is to create either a group or a user (at this point i don't care) that can only do show commands and another set that can configure and above.

does anybody know if there is a trick to this webpage?

btw, i'm using acs3.1 for win and pixos 6.2.2

any help would be greatly appreciated.

regards,

c.

Labels:
0 Helpful
3 Replies 3

mhoda
Level 5
Level 5

‎05-21-2003 10:01 PM

Hi,

The document is accurate ! I have tested this features and it works great. I would say the trickiest part is to properly define the coomand and arguments properly on ACS.

If you can provide the AAA portion of the config as well as the sequence of the commands of arguments you have defineds, I can point you to the right direction.

Also, please ensure this, I saw many ingored this line:

3. Set Max Privilege for any AAA Client to Level 15, and choose the enable password scheme for the user (which could involve configuring a separate enable password) and click Submit.

Again, please provide the aaa portion of the config and commands/args logic you have defined. Thanks,

Mynul

0 Helpful

Carlos A. Silva
Level 3
Level 3
In response to mhoda

‎05-22-2003 06:58 AM

hi, mynul:

first of all, thanks!

-no, i did not miss setting the max priviledge for the aaa client to level 15.

-the pix configuration is(the relevant part):

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.16.10.5 cisco timeout 10

aaa authentication telnet console TACACS+

aaa authorization command TACACS+

-acs config: (will try to explain)

(all of this is on a user profile)

*under TACACS ENABLE CONTROL

max priviledge for any aaa client is checked and set to 15

*under TACACS ENABLE PASSWORD

this is checked and i used a different passwd

*under SHELL COMMAND AUTHORIZATION SET

per user command authorization is checked

unmatched cisco ios commands is checked on deny

theh i have the same for 2 commands"

command is checked

the commands are 'enable', unlisted arguments permit is checked

'show', unlisted arguments is checked under permit and 'permit config'

i hope this was clear enough, if you want i can email captures of the screens. my email is carlos@mnet.com.mx.

thanks a lot!

c.

0 Helpful

mhoda
Level 5
Level 5
In response to Carlos A. Silva

‎05-22-2003 09:09 PM

Carlos,

Sent an e-mail for the screen captures ! Please reply. Thanks,

Mynul

0 Helpful
Customers Also Viewed These Support Documents