topic need to allow single command by command set in Network Access Control

need to allow single command by command set

Harshad Patil — Mon, 11 Mar 2019 02:38:07 GMT

Hi,

I have ACS 5.1, I have created a user with privilege 15. I need to allow a single command buy command set.

I have configured command set. in command set setting i have unchecked "Permit any command that is not in the table below"

and added command as below.

Grant Command Argument

Permit clear counters

its allowing me to run clear counters,

good is its not allowing to show run and conf t commands

And problem is i can run reload command also even show interface commands

I just want to allow clear counters command only. Am i missing anything plz help.

need to allow single command by command set

Tarik Admani — Thu, 04 Oct 2012 16:47:21 GMT

Can you paste the show run | inc aaa, also can you post the results in the tacacs authenticaiton report, which shows which command set the user is being mapped. Please post a screenshot of the authorization profile. Then finally can you post a screenshot of the command set you configured.

Tarik Admani
*Please rate helpful posts*

need to allow single command by command set

Harshad Patil — Tue, 09 Oct 2012 11:59:25 GMT

Hie Tarik

Sorry for late reply

below is the aaa configuration i have done

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

There is a default configuration in authorization profile, I haven't changed any thing there.

I have attched the command set snap, Please find it.