Hallo iam trying to configure ACS & my Network devices to restrict the use of some commands for a group of users, i have another group ( Networking group) this group have the privileged level 15 and should be able to do evry thing. The group that i would like to restrict commands for have the name show-commands group.
i configured the following :
- i definded a user that ist a member of the group show-commands
- by group TACACS+ Settings i checked Shell (exec) and Privilege level (5)
- by Shell Command Authorization Set i checked <Assign a Shell Command Authorization Set for any network device> , and used an Authorization Set name <lehrling> that i already configured in shared profiles components.
- Shell Command Authorization Set < lehrling > is configured as follows:
Name : lehrling
Unmatched Commands: - Deny is checked
- permit unchecked
- permit unmached Args unchecked
- in the window on the left hand i put the following commands
- on the right hand i put deny all
i repeated this for logout, ping and tracerout with nothing in the window on the right hand
- i put also show on the left hand and
permit ip interface brief
on the right hand
On the router i configured the following
< aaa authorization commands 5 default group tacacs+>
i tried also to use the name of the Authorization Set <lehrling> insted of default in the command above.
for the user in the group show-commands , i see that they the command mentioned above have no effect, and i cann't notice the restrictions that i made.
what i would like to do is to restrict config terminal for a group but this group should be able to use all other cammands like Debug.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...