Hallo iam trying to configure ACS & my Network devices to restrict the use of some commands for a group of users, i have another group ( Networking group) this group have the privileged level 15 and should be able to do evry thing. The group that i would like to restrict commands for have the name show-commands group.

i configured the following :

on ACS

- i definded a user that ist a member of the group show-commands

- by group TACACS+ Settings i checked Shell (exec) and Privilege level (5)

- by Shell Command Authorization Set i checked <Assign a Shell Command Authorization Set for any network device> , and used an Authorization Set name <lehrling> that i already configured in shared profiles components.

- Shell Command Authorization Set < lehrling > is configured as follows:

Name : lehrling

Unmatched Commands: - Deny is checked

- permit unchecked

- permit unmached Args unchecked

********************

- in the window on the left hand i put the following commands

Debug

- on the right hand i put deny all

***************

i repeated this for logout, ping and tracerout with nothing in the window on the right hand

- i put also show on the left hand and

permit ver

permit running-config

permit ip interface brief

on the right hand

-

On the router i configured the following

< aaa authorization commands 5 default group tacacs+>

i tried also to use the name of the Authorization Set <lehrling> insted of default in the command above.

for the user in the group show-commands , i see that they the command mentioned above have no effect, and i cann't notice the restrictions that i made.

what i would like to do is to restrict config terminal for a group but this group should be able to use all other cammands like Debug.

Thanks