https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121712#M188753 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/1/3/116318-aaa.jpg" class="jive-image" /></P><P></P><P></P><P>this is the command set:</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/2/3/116320-command_set.jpg" class="jive-image" /></P><P></P><P></P><P>Authorization: the last one</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/2/3/116324-authorization.jpg" class="jive-image" /></P><P></P><P>Authorization profile (shell profile):</P><P></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/2/3/116325-shell_profile.jpg" class="jive-image" /></P><P></P><P></P><P></P><P>thanks,</P><P></P><P>Let me know if you need more info.</P></BODY></HTML> Thu, 29 Nov 2012 17:02:33 GMT kerim mohammed 2012-11-29T17:02:33Z https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121710#M188636 <P>Hi,</P><P></P><P>I configured, command set on ACS5.3 so that it allows to run the show command only. The corresponding shell profile is set to privelege level 15. I couldn't get it working. users are still able to run any command. how do i get this working.</P><P></P><P>Thanks,</P><P></P><P>Kerim</P> Mon, 11 Mar 2019 02:50:42 GMT https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121710#M188636 kerim mohammed 2019-03-11T02:50:42Z https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121711#M188718 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>Which is your current AAA configuration in the client? Type "show runn | i aaa" and paste here the output. Also share with us a screenshot of your Command Set and Authorization rule.</P></BODY></HTML> Thu, 29 Nov 2012 16:03:28 GMT https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121711#M188718 mauzamor 2012-11-29T16:03:28Z https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121712#M188753 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/1/3/116318-aaa.jpg" class="jive-image" /></P><P></P><P></P><P>this is the command set:</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/2/3/116320-command_set.jpg" class="jive-image" /></P><P></P><P></P><P>Authorization: the last one</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/2/3/116324-authorization.jpg" class="jive-image" /></P><P></P><P>Authorization profile (shell profile):</P><P></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/2/3/116325-shell_profile.jpg" class="jive-image" /></P><P></P><P></P><P></P><P>thanks,</P><P></P><P>Let me know if you need more info.</P></BODY></HTML> Thu, 29 Nov 2012 17:02:33 GMT https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121712#M188753 kerim mohammed 2012-11-29T17:02:33Z https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121713#M188831 <HTML><HEAD></HEAD><BODY><P>You are missing the "authorization" commands.</P><P></P><P>For example depending on what you need to check with ACS you will have to use:</P><P></P><P>aaa authorization command 15 default group tacacs+ if-authenticated</P><P>aaa authorization command 1 default group tacacs+ if-authenticated</P><P>aaa authorization command 0 default group tacacs+ if-authenticated</P><P></P><P>The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.</P><P></P><P>Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.</P><P></P><P>Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.</P><P></P><P>Let me know how it goes.</P></BODY></HTML> Thu, 29 Nov 2012 17:25:49 GMT https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121713#M188831 mauzamor 2012-11-29T17:25:49Z https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121714#M188930 <HTML><HEAD></HEAD><BODY><P>thanks! that took care of it.</P></BODY></HTML> Thu, 29 Nov 2012 18:19:50 GMT https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121714#M188930 kerim mohammed 2012-11-29T18:19:50Z https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121715#M189007 <HTML><HEAD></HEAD><BODY><P>Glad to hear the good news.</P><P></P><P>Have a nice day.</P></BODY></HTML> Thu, 29 Nov 2012 18:29:04 GMT https://community.cisco.com/t5/network-access-control/couldn-t-get-command-set-working-on-acs5-3/m-p/2121715#M189007 mauzamor 2012-11-29T18:29:04Z