Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem - acs command authorization and web access control

Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.


Re: problem - acs command authorization and web access control


It seems that you have fall back set as if-authenticated. You need to change it to local,

ap(config)#aaa authorization commands 15 default group tacacs+ local

Hope that helps.



Note : If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

New Member

Re: problem - acs command authorization and web access control

It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config

and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:


permit terminal


permit Unmatched Args


permit Dot11Radio0


permit shutdown

permit cca


permit Unmatched Args


permit Unmatched Args


permit Unmatched Args


permit Unmatched Args


permit memory quiet

Thanks for the help !