01-04-2007 02:32 AM
Hi,
We have TACACS enabled in our routers. I wanted to restrict user access to only particular commands. I am providing those commands below.
Router#term len 0
Router#sh clock
Router#sh ip int br
Router#sh env all
Router#sh int s0/0
Router#sh int s0/1
Router#ping 10.30.250.137
Router#conf t
Router(config)#int se0/0
Router(config-if)#no backup int br0/0
Router#exit
Router#isdn call int bri 0/0 22861600
Router#sh isdn a
Router#sh isdn status
Router(config)#int se0/0
Router(config-if)#backup int bri0/0
Router#sh int bri0/0
Router#sh run
Nothing more than these commands should be allowed for configuration. Can someone advice me for required configuration in Router as well as cisco ACS.
Regards
SKRAO
01-05-2007 01:22 AM
Hi SKRAO
Please, take a look at this link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml#testfile
Hope this helps
01-05-2007 01:45 AM
I have done this before on ACS. You need to do the following;
setup a "Shell Command Authorization Set" which is under shared components. You will need to add the commands you want to permit then select the "deny unmatched arguments" box. When this is setup you need to link it to the required ACS group.
This set is linked under the group under the "Shell Command Authorization Set" section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide