Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Shell Command Authorization - Limit to single interface

Hi There,

I'm new Shell Command Authorization and I'm not sure if im doing this right.. I'd like to create an authorization set to limit a user so that they can only add and remove a single policy map to a specific interface.

However, I'm having trouble limiting them to a single interface (e.g. FastEthernet 0/0). Whatever I do they seem to be able to access ALL interfaces.

Here is the ACS 4.1 setup

Unmatched Commands = DENY

configure=permit terminal

interface=permit FastEthernet 0/0

service-policy=permit input testpolicy

Permit Unmatched Args is also OFF (unticked).

Other commands are blocked OK.

Appreciate any help,

Thanks

1 REPLY
New Member

Re: Shell Command Authorization - Limit to single interface

Please run debug on the network device:

debug aaa authorization

debug tacacs authorization

This may give us a clue.

144
Views
0
Helpful
1
Replies