Hallo iam trying to configure ACS & my Network devices to restrict the use of some commands for a group of users, i have another group ( Networking group) this group have the privileged level 15 and should be able to do evry thing. The group that i would like to restrict commands for have the name show-commands group.
i configured the following :
on ACS
- i definded a user that ist a member of the group show-commands
- by group TACACS+ Settings i checked Shell (exec) and Privilege level (5)
- by Shell Command Authorization Set i checked <Assign a Shell Command Authorization Set for any network device> , and used an Authorization Set name <lehrling> that i already configured in shared profiles components.
- Shell Command Authorization Set < lehrling > is configured as follows:
Name : lehrling
Unmatched Commands: - Deny is checked
- permit unchecked
- permit unmached Args unchecked
********************
- in the window on the left hand i put the following commands
Debug
- on the right hand i put deny all
***************
i repeated this for logout, ping and tracerout with nothing in the window on the right hand
- i put also show on the left hand and
permit ver
permit running-config
permit ip interface brief
on the right hand
-
On the router i configured the following
< aaa authorization commands 5 default group tacacs+>
i tried also to use the name of the Authorization Set <lehrling> insted of default in the command above.
for the user in the group show-commands , i see that they the command mentioned above have no effect, and i cann't notice the restrictions that i made.
what i would like to do is to restrict config terminal for a group but this group should be able to use all other cammands like Debug.
Thanks