Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

limit access-rights (using Cisco ACS)

Hi !

I try to grant a user access to a system - but he should only be able to see the current "running-config" -

Is it possible to achive this using Cisco ACS (AAA)



Cisco Employee

Re: limit access-rights (using Cisco ACS)

Depends, you have to do this using TACACS, as command authorization is not available in Radius. Also, once you set it up for one user, every other user is going to have to log in using an ACS/TACACS username on this server, and you'll have to modify their policy to allow all commands to be run by them.

On the router you'd do something like:

> aaa new-model

> aaa authentication login default group tacacs local

> aaa authorization exec default group tacacs none

> aaa authorization commands 15 default group tacacs none

Then on ACS, go under Interface Config - TACACS and check the box for User Shell (exec). Modify the user and under TACACS Setting check the Shell (exec) box, then under the Shell Command Authorization Set section, check the Per-User Command Authorization box, set Unmatched Commands to deny, check the Command box, put "show" in the as the command (minus the quotes), put "permit running-config" in as the argument (minus the quotes), deny Unlisted Arguments. Hit Submit and you should be good to go.

This user will be able to go into enable mode and then only type "sho run", nothing else.

For every other user, you need to create an ACS account for them. Put them all into a specific ACS group. For all of these users the default "Command Authorization" setting should be "as group" meaning use whatever the group parameter is set to. Modify the group that you put all these users into and under here check the "Shell (exec)" box and under the Per Group Command Authorization section, set Unmatched Commands to permit. This will allow all these users to run any command.