I wonder if you guys can help with something I'm trying out.
We are using CiscoSecure 3.2. At the moment all users with ACS accounts have full access to the routers/switches once they have authenticated. But we have a group of users who could do some simple stuff for us (I'm thinking of allowing them to change speed/duplex and vlans on fe interfaces on edge switches.) But I would rather they didn't have full access for obvious reasons!
So I have created a Shell Command Authorisation Set with a command of show and an arguement of permit version (I'm move on the more complex commands once I've mastered this one!) and denied unmatched commands. Within the group to which my test user belongs I have assigned my command set.
I don't think I've gone too far wrong here. But, what config do I need to apply to the network devices? At the moment while I am able to authenticate with my test user they have full and complete access once authenticated.
You're close. "sho ver" is a level 1 command, not a level 15 (enable) command, so add the following:
aaa authorization commands 1 default tacacs
You have to do TACACS authentication cause there's no such thing as Radius command authorization.
Also, you don't reference your Command Set in the "aaa author" command on the device, it doesn't care what that name is cause it's ACS specific.
Also, what I've shown you above will enable command authorization for all users, so for users that you want to be able to do everything, add another Shell Command Authorisation Set onto the ACS server that permits everything, and apply it to the users with no restrictions.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...