Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS+ Levels of access ACS 3.1

I am using CiscoSecure ACS v3.1 and I have 200 switches and routers point to 2 ACS servers using TACACS+ to authenticate and grant management access to 3 network admins I want to limit access for some users to do all show commands and some interface level commands i.e. no shut... but not allow some commands i.e. shutdown and interface, or to do a reload... I have been told this is possible but I haven’t been able to do this yet.. Also all users use the same enable secret password witch is local to the switches/routers.


New Member

Re: TACACS+ Levels of access ACS 3.1

Please post this Q to the security section to get a faster response !

New Member

Re: TACACS+ Levels of access ACS 3.1


You can use the shared profile components to creat a shell command authorization set.

Example : you would like to restrict the use of debug all for a specific group:

1- Creat shell command authorization set

- under unmatched commands write debug and then

add command.

2- activate the radio buttom deny

3- check the box permit unmatched commands.

4- write deny all in the window underneeth the permit unmatched commands.

5- in the group setup section in acs where the restricted user should be, in the Shell Command Authorization Set choose the name of the set that u have created in 1.

on the Network device you should extend the aaa configuration with

"aaa authorization commands 15 default group tacacs+ none"

on the line vty configure the suitable Authirization command.



CreatePlease login to create content