04-03-2006 06:01 PM - edited 02-21-2020 10:15 AM
R1
i have not posted the local aaa config. i am using acs server 3.3 trial version.
aaa authentication login cisco group tacacs+
aaa authoristion exec cisco group tacacs+
aaa authorisation commands 10 cisco group tacacs+
line vty 0 4
login authentication cisco
authorisation exec cisco
authorisation commands 10 cisco
on the acs server
i have created user cisco
x shell
.priviledge level =10
x per user command authorization
unmatched cisco IOS command: deny
x command
show
arguments: permit ruuning-config
unlisted argument: deny
when this user logs in the router . he gets authenticated and authorised as privilege level 10
but he cannot issue the command show running-config. is this because i am using a trial version.i am not sure abt it.
i am also not able to move commands to higher privilege levels .
i created a another user with privilege level 14 name john
x shell
.priviledge level =14
x per user command authorization
unmatched cisco IOS command: deny
x command
ping
arguments:
unlisted argument: deny
with this the ping command should not be available to the level 10 user but it is. the level 10 user is still able to issue the command.
can anyone pls help me with this configuration.
sebastan
04-07-2006 08:37 AM
This is happening because by default, all commands are either in level 1 or level 15. The "show runn" command is at level 15 by default. So, if the user is at level 10, he will not be able to execute the "sh runn" command. You need to move the "sh runn" command from existing level 15 to level 10 using the "privilege exec" command.
04-07-2006 07:53 PM
hi thanks. yeah i tried that but it's still ain't working. someone told me that in acs command authorisation will not work for privilege level commands. that we cannot move the level 1 commands from one user to the other.say i have 2 users one at level 5 and other at level 7 . the ping command is available for both the users. so if i move the command from level 5 to level 7 then this command should only be to level 7 user. still level 5 users can execute ping command. i hope u understand the problem i am facing here. i can achieve this from local command authorisation on the router but not with acs server. waiting for ur reply.
sebastan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: