Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
2
Replies

problem with command authorisation with acs

sebastan_bach
Level 4
Level 4

‎04-03-2006 06:01 PM - edited ‎02-21-2020 10:15 AM

R1

i have not posted the local aaa config. i am using acs server 3.3 trial version.

aaa authentication login cisco group tacacs+

aaa authoristion exec cisco group tacacs+

aaa authorisation commands 10 cisco group tacacs+

line vty 0 4

login authentication cisco

authorisation exec cisco

authorisation commands 10 cisco

on the acs server

i have created user cisco

x shell

.priviledge level =10

x per user command authorization

unmatched cisco IOS command: deny

x command

show

arguments: permit ruuning-config

unlisted argument: deny

when this user logs in the router . he gets authenticated and authorised as privilege level 10

but he cannot issue the command show running-config. is this because i am using a trial version.i am not sure abt it.

i am also not able to move commands to higher privilege levels .

i created a another user with privilege level 14 name john

x shell

.priviledge level =14

x per user command authorization

unmatched cisco IOS command: deny

x command

ping

arguments:

unlisted argument: deny

with this the ping command should not be available to the level 10 user but it is. the level 10 user is still able to issue the command.

can anyone pls help me with this configuration.

sebastan

Labels:
0 Helpful
2 Replies 2

vkapoor5
Level 5
Level 5

‎04-07-2006 08:37 AM

This is happening because by default, all commands are either in level 1 or level 15. The "show runn" command is at level 15 by default. So, if the user is at level 10, he will not be able to execute the "sh runn" command. You need to move the "sh runn" command from existing level 15 to level 10 using the "privilege exec" command.

0 Helpful

sebastan_bach
Level 4
Level 4
In response to vkapoor5

‎04-07-2006 07:53 PM

hi thanks. yeah i tried that but it's still ain't working. someone told me that in acs command authorisation will not work for privilege level commands. that we cannot move the level 1 commands from one user to the other.say i have 2 users one at level 5 and other at level 7 . the ping command is available for both the users. so if i move the command from level 5 to level 7 then this command should only be to level 7 user. still level 5 users can execute ping command. i hope u understand the problem i am facing here. i can achieve this from local command authorisation on the router but not with acs server. waiting for ur reply.

sebastan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents