09-12-2007 07:33 AM - edited 03-05-2019 06:26 PM
gentlemen,
I am helping out a colleague with our ACS (it was set up before both us came here) and we have noticed that some groups are assigned a shell command authorization set and other groups aren't. My question is as follows - If a group isn't assigned to an authorization set does that mean that the group can do any and all commands without restriction? I am assuming so, but have not been able to find any documentation that says so explicitly. Any help is appreciated. Thanks.
09-12-2007 09:35 AM
yes you are correct.
If a group is not assigned any shell auth set, and if the group shell privilege is configured as 15, then there is no restriction in their access
HTH
Narayan
09-12-2007 09:49 AM
Thanks. This helps a lot to clear up some confusion on the different groups.
09-12-2007 09:58 AM
Hopefully the link below provides the info you seek:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
regards,
Leo
09-13-2007 04:29 AM
Hi,
If you have command authorization set on group 1 and not on group 2 then group 2 user will NOT be able to issue any command. It will fail.
So if that group is admin group then you need to set one more command autho set will radio set to permit. Once it is done you need to bind it with admin group.
Hope that helps
~JG
Please rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: