Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem with command authorisation with acs

R1

i have not posted the local aaa config. i am using acs server 3.3 trial version.

aaa authentication login cisco group tacacs+

aaa authoristion exec cisco group tacacs+

aaa authorisation commands 10 cisco group tacacs+

line vty 0 4

login authentication cisco

authorisation exec cisco

authorisation commands 10 cisco

on the acs server

i have created user cisco

x shell

.priviledge level =10

x per user command authorization

unmatched cisco IOS command: deny

x command

show

arguments: permit ruuning-config

unlisted argument: deny

when this user logs in the router . he gets authenticated and authorised as privilege level 10

but he cannot issue the command show running-config. is this because i am using a trial version.i am not sure abt it.

i am also not able to move commands to higher privilege levels .

i created a another user with privilege level 14 name john

x shell

.priviledge level =14

x per user command authorization

unmatched cisco IOS command: deny

x command

ping

arguments:

unlisted argument: deny

with this the ping command should not be available to the level 10 user but it is. the level 10 user is still able to issue the command.

can anyone pls help me with this configuration.

sebastan

2 REPLIES
Bronze

Re: problem with command authorisation with acs

This is happening because by default, all commands are either in level 1 or level 15. The "show runn" command is at level 15 by default. So, if the user is at level 10, he will not be able to execute the "sh runn" command. You need to move the "sh runn" command from existing level 15 to level 10 using the "privilege exec" command.

New Member

Re: problem with command authorisation with acs

hi thanks. yeah i tried that but it's still ain't working. someone told me that in acs command authorisation will not work for privilege level commands. that we cannot move the level 1 commands from one user to the other.say i have 2 users one at level 5 and other at level 7 . the ping command is available for both the users. so if i move the command from level 5 to level 7 then this command should only be to level 7 user. still level 5 users can execute ping command. i hope u understand the problem i am facing here. i can achieve this from local command authorisation on the router but not with acs server. waiting for ur reply.

sebastan

121
Views
0
Helpful
2
Replies
CreatePlease login to create content