Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

aaa Autorisation commands

Hallo iam trying to configure ACS & my Network devices to restrict the use of some commands for a group of users, i have another group ( Networking group) this group have the privileged level 15 and should be able to do evry thing. The group that i would like to restrict commands for have the name show-commands group.

i configured the following :

on ACS

- i definded a user that ist a member of the group show-commands

- by group TACACS+ Settings i checked Shell (exec) and Privilege level (5)

- by Shell Command Authorization Set i checked <Assign a Shell Command Authorization Set for any network device> , and used an Authorization Set name <lehrling> that i already configured in shared profiles components.

- Shell Command Authorization Set < lehrling > is configured as follows:

Name : lehrling

Unmatched Commands: - Deny is checked

- permit unchecked

- permit unmached Args unchecked

********************

- in the window on the left hand i put the following commands

Debug

- on the right hand i put deny all

***************

i repeated this for logout, ping and tracerout with nothing in the window on the right hand

- i put also show on the left hand and

permit ver

permit running-config

permit ip interface brief

on the right hand

-

On the router i configured the following

< aaa authorization commands 5 default group tacacs+>

i tried also to use the name of the Authorization Set <lehrling> insted of default in the command above.

for the user in the group show-commands , i see that they the command mentioned above have no effect, and i cann't notice the restrictions that i made.

what i would like to do is to restrict config terminal for a group but this group should be able to use all other cammands like Debug.

Thanks

1 REPLY
New Member

Re: aaa Autorisation commands

we are using ACS 3.0 on Windows 2000

158
Views
0
Helpful
1
Replies